From a01ab19b2f4fdea3b45bd8e2e689d28000697d54 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 12:04:28 -0400 Subject: [PATCH 01/33] add legal presets, file-based compliance artifacts Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- socketsecurity/config.py | 45 ++++++++++++ socketsecurity/output.py | 143 +++++++++++++++++++++++++++------------ 2 files changed, 143 insertions(+), 45 deletions(-) diff --git a/socketsecurity/config.py b/socketsecurity/config.py index 9c3b40b..7c56597 100644 --- a/socketsecurity/config.py +++ b/socketsecurity/config.py @@ -79,6 +79,7 @@ class CliConfig: enable_debug: bool = False allow_unverified: bool = False enable_json: bool = False + json_file: Optional[str] = None enable_sarif: bool = False sarif_file: Optional[str] = None sarif_scope: str = "diff" @@ -86,6 +87,8 @@ class CliConfig: sarif_reachability: str = "all" enable_gitlab_security: bool = False gitlab_security_file: Optional[str] = None + summary_file: Optional[str] = None + report_link_file: Optional[str] = None disable_overview: bool = False disable_security_issue: bool = False files: str = None @@ -132,6 +135,7 @@ class CliConfig: reach_use_only_pregenerated_sboms: bool = False max_purl_batch_size: int = 5000 enable_commit_status: bool = False + legal: bool = False config_file: Optional[str] = None @classmethod @@ -189,6 +193,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'enable_diff': args.enable_diff, 'allow_unverified': args.allow_unverified, 'enable_json': args.enable_json, + 'json_file': args.json_file, 'enable_sarif': args.enable_sarif, 'sarif_file': args.sarif_file, 'sarif_scope': args.sarif_scope, @@ -196,6 +201,8 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'sarif_reachability': args.sarif_reachability, 'enable_gitlab_security': args.enable_gitlab_security, 'gitlab_security_file': args.gitlab_security_file, + 'summary_file': args.summary_file, + 'report_link_file': args.report_link_file, 'disable_overview': args.disable_overview, 'disable_security_issue': args.disable_security_issue, 'files': args.files, @@ -236,9 +243,23 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'reach_use_only_pregenerated_sboms': args.reach_use_only_pregenerated_sboms, 'max_purl_batch_size': args.max_purl_batch_size, 'enable_commit_status': args.enable_commit_status, + 'legal': args.legal, 'config_file': args.config_file, 'version': __version__ } + + if args.legal: + config_args['generate_license'] = True + if not config_args['json_file']: + config_args['json_file'] = "socket-report.json" + if not config_args['summary_file']: + config_args['summary_file'] = "socket-summary.txt" + if not config_args['report_link_file']: + config_args['report_link_file'] = "socket-report-link.txt" + if not config_args['sbom_file']: + config_args['sbom_file'] = "socket-sbom.json" + if config_args['license_file_name'] == "license_output.json": + config_args['license_file_name'] = "socket-license.json" excluded_ecosystems = config_args["excluded_ecosystems"] if isinstance(excluded_ecosystems, list): config_args["excluded_ecosystems"] = excluded_ecosystems @@ -560,6 +581,12 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help="Output in JSON format" ) + output_group.add_argument( + "--json-file", + dest="json_file", + metavar="", + help="Output file path for JSON report" + ) output_group.add_argument( "--enable-sarif", dest="enable_sarif", @@ -607,6 +634,18 @@ def create_argument_parser() -> argparse.ArgumentParser: default="gl-dependency-scanning-report.json", help="Output file path for GitLab Security report (default: gl-dependency-scanning-report.json)" ) + output_group.add_argument( + "--summary-file", + dest="summary_file", + metavar="", + help="Output file path for a plain-text summary report" + ) + output_group.add_argument( + "--report-link-file", + dest="report_link_file", + metavar="", + help="Output file path for the Socket report link" + ) output_group.add_argument( "--disable-overview", dest="disable_overview", @@ -723,6 +762,12 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help="Disable SSL certificate verification for API requests" ) + advanced_group.add_argument( + "--legal", + dest="legal", + action="store_true", + help="Enable legal/compliance-friendly defaults and file outputs" + ) config_group.add_argument( "--include-module-folders", dest="include_module_folders", diff --git a/socketsecurity/output.py b/socketsecurity/output.py index 921ca79..7d1daf5 100644 --- a/socketsecurity/output.py +++ b/socketsecurity/output.py @@ -90,6 +90,9 @@ def handle_output(self, diff_report: Diff) -> None: plugin_mgr = PluginManager({"slack": slack_config}) plugin_mgr.send(diff_report, config=self.config) + self.save_json_file(diff_report, getattr(self.config, "json_file", None)) + self.save_summary_file(diff_report, getattr(self.config, "summary_file", None)) + self.save_report_link_file(diff_report, getattr(self.config, "report_link_file", None)) self.save_sbom_file(diff_report, self.config.sbom_file) def return_exit_code(self, diff_report: Diff) -> int: @@ -107,50 +110,15 @@ def return_exit_code(self, diff_report: Diff) -> int: def output_console_comments(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Outputs formatted console comments""" - selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) - has_new_alerts = len(selected_alerts) > 0 - has_unchanged_alerts = ( - self.config.strict_blocking and - hasattr(diff_report, 'unchanged_alerts') and - len(diff_report.unchanged_alerts) > 0 - ) - - if not has_new_alerts and not has_unchanged_alerts: - self.logger.info("No issues found") - return - - # Count blocking vs warning alerts - new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error) - new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn) - - unchanged_blocking = 0 - unchanged_warning = 0 - if has_unchanged_alerts: - unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error) - unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn) - - selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) - console_security_comment = Messages.create_console_security_alert_table(selected_diff) - - # Build status message - self.logger.info("Security issues detected by Socket Security:") - if new_blocking > 0: - self.logger.info(f" - NEW blocking issues: {new_blocking}") - if new_warning > 0: - self.logger.info(f" - NEW warning issues: {new_warning}") - if unchanged_blocking > 0: - self.logger.info(f" - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)") - if unchanged_warning > 0: - self.logger.info(f" - EXISTING warning issues: {unchanged_warning}") - - self.logger.info(f"Diff Url: {diff_report.diff_url}") - self.logger.info(f"\n{console_security_comment}") + summary_text = self.build_summary_text(diff_report) + for line in summary_text.splitlines(): + self.logger.info(line) + if not summary_text.strip(): + self.logger.info("") def output_console_json(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Outputs JSON formatted results""" - selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) - selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) - console_security_comment = Messages.create_security_comment_json(selected_diff) + console_security_comment = self.build_json_report(diff_report) self.save_sbom_file(diff_report, sbom_file_name) self.logger.info(json.dumps(console_security_comment)) @@ -249,11 +217,96 @@ def save_sbom_file(self, diff_report: Diff, sbom_file_name: Optional[str] = None if not sbom_file_name or not diff_report.sbom: return - sbom_path = Path(sbom_file_name) - sbom_path.parent.mkdir(parents=True, exist_ok=True) + self.write_json_file(sbom_file_name, diff_report.sbom) - with open(sbom_path, "w") as f: - json.dump(diff_report.sbom, f, indent=2) + def build_summary_text(self, diff_report: Diff) -> str: + """Render the console summary text for stdout and file output.""" + selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) + has_new_alerts = len(selected_alerts) > 0 + has_unchanged_alerts = ( + self.config.strict_blocking and + hasattr(diff_report, 'unchanged_alerts') and + len(diff_report.unchanged_alerts) > 0 + ) + + if not has_new_alerts and not has_unchanged_alerts: + return "No issues found" + + new_blocking = sum(1 for issue in diff_report.new_alerts if issue.error) + new_warning = sum(1 for issue in diff_report.new_alerts if issue.warn) + + unchanged_blocking = 0 + unchanged_warning = 0 + if has_unchanged_alerts: + unchanged_blocking = sum(1 for issue in diff_report.unchanged_alerts if issue.error) + unchanged_warning = sum(1 for issue in diff_report.unchanged_alerts if issue.warn) + + selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) + console_security_comment = Messages.create_console_security_alert_table(selected_diff) + + lines = ["Security issues detected by Socket Security:"] + if new_blocking > 0: + lines.append(f" - NEW blocking issues: {new_blocking}") + if new_warning > 0: + lines.append(f" - NEW warning issues: {new_warning}") + if unchanged_blocking > 0: + lines.append( + f" - EXISTING blocking issues: {unchanged_blocking} (causing failure due to --strict-blocking)" + ) + if unchanged_warning > 0: + lines.append(f" - EXISTING warning issues: {unchanged_warning}") + + report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "") + lines.append(f"Diff Url: {report_link}") + lines.append("") + lines.append(str(console_security_comment)) + return "\n".join(lines) + + def build_json_report(self, diff_report: Diff) -> dict: + """Build the JSON report payload for stdout and file output.""" + selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) + selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) + report = Messages.create_security_comment_json(selected_diff) + legal_flag = getattr(self.config, "legal", False) + repo = getattr(self.config, "repo", None) + branch = getattr(self.config, "branch", None) + commit_sha = getattr(self.config, "commit_sha", None) + report["report_url"] = getattr(diff_report, "report_url", None) + report["repo"] = repo if isinstance(repo, str) or repo is None else None + report["branch"] = branch if isinstance(branch, str) or branch is None else None + report["commit_sha"] = commit_sha if isinstance(commit_sha, str) or commit_sha is None else None + report["legal_mode"] = legal_flag if isinstance(legal_flag, bool) else False + return report + + def save_json_file(self, diff_report: Diff, json_file_name: Optional[str] = None) -> None: + if not json_file_name: + return + self.write_json_file(json_file_name, self.build_json_report(diff_report)) + + def save_summary_file(self, diff_report: Diff, summary_file_name: Optional[str] = None) -> None: + if not summary_file_name: + return + self.write_text_file(summary_file_name, self.build_summary_text(diff_report) + "\n") + + def save_report_link_file(self, diff_report: Diff, report_link_file_name: Optional[str] = None) -> None: + if not report_link_file_name: + return + report_link = getattr(diff_report, "report_url", "") or getattr(diff_report, "diff_url", "") + if not report_link: + return + self.write_text_file(report_link_file_name, report_link + "\n") + + def write_json_file(self, file_name: str, content: Any) -> None: + file_path = Path(file_name) + file_path.parent.mkdir(parents=True, exist_ok=True) + with open(file_path, "w") as f: + json.dump(content, f, indent=2) + + def write_text_file(self, file_name: str, content: str) -> None: + file_path = Path(file_name) + file_path.parent.mkdir(parents=True, exist_ok=True) + with open(file_path, "w") as f: + f.write(content) def output_gitlab_security(self, diff_report: Diff) -> None: """ From 02012d6f0e600d31359cc3d4aa56a596c8bceeae Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 12:05:32 -0400 Subject: [PATCH 02/33] add unit test coverage for new config defaults and outputs Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- tests/unit/test_cli_config.py | 28 ++++++++- tests/unit/test_output.py | 105 ++++++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+), 1 deletion(-) diff --git a/tests/unit/test_cli_config.py b/tests/unit/test_cli_config.py index 045f0e4..295ad5f 100644 --- a/tests/unit/test_cli_config.py +++ b/tests/unit/test_cli_config.py @@ -81,4 +81,30 @@ def test_workspace_is_independent_of_workspace_name(self): "--workspace-name", "monorepo-suffix", ]) assert config.workspace == "my-workspace" - assert config.workspace_name == "monorepo-suffix" \ No newline at end of file + assert config.workspace_name == "monorepo-suffix" + + def test_legal_flag_sets_default_artifact_files(self): + config = CliConfig.from_args(["--api-token", "test", "--legal"]) + assert config.legal is True + assert config.generate_license is True + assert config.json_file == "socket-report.json" + assert config.summary_file == "socket-summary.txt" + assert config.report_link_file == "socket-report-link.txt" + assert config.sbom_file == "socket-sbom.json" + assert config.license_file_name == "socket-license.json" + + def test_legal_flag_preserves_explicit_file_paths(self): + config = CliConfig.from_args([ + "--api-token", "test", + "--legal", + "--json-file", "custom-report.json", + "--summary-file", "custom-summary.txt", + "--report-link-file", "custom-link.txt", + "--sbom-file", "custom-sbom.json", + "--license-file-name", "custom-license.json", + ]) + assert config.json_file == "custom-report.json" + assert config.summary_file == "custom-summary.txt" + assert config.report_link_file == "custom-link.txt" + assert config.sbom_file == "custom-sbom.json" + assert config.license_file_name == "custom-license.json" diff --git a/tests/unit/test_output.py b/tests/unit/test_output.py index 0fe007e..9080f03 100644 --- a/tests/unit/test_output.py +++ b/tests/unit/test_output.py @@ -123,6 +123,111 @@ def test_sbom_file_saving(self, handler, tmp_path): handler.save_sbom_file(diff, str(sbom_path)) assert sbom_path.exists() + def test_json_file_saving(self, tmp_path): + from socketsecurity.config import CliConfig + from unittest.mock import Mock + + json_path = tmp_path / "report.json" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = str(json_path) + config.summary_file = None + config.report_link_file = None + config.sbom_file = None + config.legal = True + config.repo = "owner/repo" + config.branch = "main" + config.commit_sha = "abc123" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.diff_url = "https://socket.dev/diff/123" + diff.report_url = "https://socket.dev/report/123" + diff.new_alerts = [ + Issue( + title="Test", + severity="high", + description="desc", + error=True, + key="test-key", + type="vulnerability", + pkg_type="npm", + pkg_name="test-package", + pkg_version="1.0.0", + purl="pkg:npm/test-package@1.0.0", + url="https://socket.dev/npm/package/test-package/alerts/1.0.0", + ) + ] + + handler.save_json_file(diff, str(json_path)) + + saved = json.loads(json_path.read_text()) + assert saved["full_scan_id"] == "scan-123" + assert saved["report_url"] == "https://socket.dev/report/123" + assert saved["repo"] == "owner/repo" + assert saved["branch"] == "main" + assert saved["commit_sha"] == "abc123" + assert saved["legal_mode"] is True + + def test_summary_and_report_link_files_are_written(self, tmp_path): + from socketsecurity.config import CliConfig + from unittest.mock import Mock + + summary_path = tmp_path / "summary.txt" + report_link_path = tmp_path / "report-link.txt" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = None + config.summary_file = str(summary_path) + config.report_link_file = str(report_link_path) + config.sbom_file = None + config.legal = False + config.repo = None + config.branch = "" + config.commit_sha = "" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.diff_url = "https://socket.dev/diff/123" + diff.report_url = "https://socket.dev/report/123" + diff.new_alerts = [ + Issue( + title="Test", + severity="high", + description="desc", + error=True, + key="test-key", + type="vulnerability", + pkg_type="npm", + pkg_name="test-package", + pkg_version="1.0.0", + purl="pkg:npm/test-package@1.0.0", + url="https://socket.dev/npm/package/test-package/alerts/1.0.0", + ) + ] + + handler.save_summary_file(diff, str(summary_path)) + handler.save_report_link_file(diff, str(report_link_path)) + + assert "Security issues detected by Socket Security:" in summary_path.read_text() + assert report_link_path.read_text().strip() == "https://socket.dev/report/123" + def test_report_pass_with_strict_blocking_new_alerts(self): """Test that strict-blocking fails on new blocking alerts""" from socketsecurity.config import CliConfig From f1764b49a405abb835959637f2a7393a067bf6bc Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 12:06:16 -0400 Subject: [PATCH 03/33] document legal preset flag and default artifacts Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index 7929189..97519bd 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,7 @@ socketcli \ | Use case | Recommended mode | Key flags | |:--|:--|:--| | Basic policy enforcement in CI | Diff-based policy check | `--strict-blocking` | +| Legal/compliance artifact generation | Legal preset | `--legal` | | Reachable-focused SARIF for reporting | Full-scope grouped SARIF | `--reach --sarif-scope full --sarif-grouping alert --sarif-reachability reachable --sarif-file ` | | Detailed reachability export for investigations | Full-scope instance SARIF | `--reach --sarif-scope full --sarif-grouping instance --sarif-reachability all --sarif-file ` | | Net-new PR findings only | Diff-scope SARIF | `--reach --sarif-scope diff --sarif-reachability reachable --sarif-file ` | @@ -134,6 +135,19 @@ Run: socketcli --config .socketcli.toml --target-path . ``` +Legal/compliance preset example: + +```bash +socketcli --legal --target-path . +``` + +This preset enables license generation and writes default artifacts unless you override them: +- `socket-report.json` +- `socket-summary.txt` +- `socket-report-link.txt` +- `socket-sbom.json` +- `socket-license.json` + Reference sample configs: TOML: From 0e798dbcc80e203fb7e7aae65af0b968429bcac8 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 12:13:44 -0400 Subject: [PATCH 04/33] update lockfile Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- uv.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uv.lock b/uv.lock index 4c6607f..5b3776d 100644 --- a/uv.lock +++ b/uv.lock @@ -1168,7 +1168,7 @@ wheels = [ [[package]] name = "socketsecurity" -version = "2.2.78" +version = "2.2.80" source = { editable = "." } dependencies = [ { name = "bs4" }, From 0e968b39ff33b85c727464b0b53ac14c836f2696 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 12:16:18 -0400 Subject: [PATCH 05/33] bump version to pass checks Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- pyproject.toml | 2 +- socketsecurity/__init__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 49bb294..feaa859 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "hatchling.build" [project] name = "socketsecurity" -version = "2.2.86" +version = "2.2.87" requires-python = ">= 3.11" license = {"file" = "LICENSE"} dependencies = [ diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index c816fab..69d6f7b 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,3 +1,3 @@ __author__ = 'socket.dev' -__version__ = '2.2.86' +__version__ = '2.2.87' USER_AGENT = f'SocketPythonCLI/{__version__}' From 1b9f951b41aa82dbb82666e84cecf6a372e831a5 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 14:53:37 -0400 Subject: [PATCH 06/33] update lockfile to match new version Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- uv.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uv.lock b/uv.lock index a90e6b2..5a67fa0 100644 --- a/uv.lock +++ b/uv.lock @@ -1168,7 +1168,7 @@ wheels = [ [[package]] name = "socketsecurity" -version = "2.2.86" +version = "2.2.87" source = { editable = "." } dependencies = [ { name = "bs4" }, From ee8e36a0f49d1d937b2e3809595ef2fdd77f6feb Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 14:55:17 -0400 Subject: [PATCH 07/33] handle missing SBOM and package data in legal artifacts Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- socketsecurity/output.py | 8 ++++++-- socketsecurity/socketcli.py | 39 ++++++++++++++++++++++--------------- 2 files changed, 29 insertions(+), 18 deletions(-) diff --git a/socketsecurity/output.py b/socketsecurity/output.py index 7d1daf5..6761243 100644 --- a/socketsecurity/output.py +++ b/socketsecurity/output.py @@ -214,10 +214,14 @@ def report_pass(self, diff_report: Diff) -> bool: def save_sbom_file(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None: """Saves SBOM file if filename is provided""" - if not sbom_file_name or not diff_report.sbom: + if not sbom_file_name: return - self.write_json_file(sbom_file_name, diff_report.sbom) + sbom_data = getattr(diff_report, "sbom", None) + if sbom_data is None: + sbom_data = [] + + self.write_json_file(sbom_file_name, sbom_data) def build_summary_text(self, diff_report: Diff) -> str: """Render the console summary text for stdout and file output.""" diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index 1f2b166..34de8ec 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -26,6 +26,28 @@ load_dotenv() + +def build_license_artifact_payload(diff: Diff) -> dict: + """Build the license artifact payload from a diff, tolerating sparse scan paths.""" + all_packages = {} + packages = getattr(diff, "packages", {}) or {} + for purl in packages: + package = packages[purl] + output = { + "id": package.id, + "name": package.name, + "version": package.version, + "ecosystem": package.type, + "direct": package.direct, + "url": package.url, + "license": package.license, + "licenseDetails": package.licenseDetails, + "licenseAttrib": package.licenseAttrib, + "purl": package.purl, + } + all_packages[package.id] = output + return all_packages + def cli(): try: main_code() @@ -743,22 +765,7 @@ def _is_unprocessed(c): # Handle license generation if not should_skip_scan and diff.id != "NO_DIFF_RAN" and diff.id != "NO_SCAN_RAN" and config.generate_license: - all_packages = {} - for purl in diff.packages: - package = diff.packages[purl] - output = { - "id": package.id, - "name": package.name, - "version": package.version, - "ecosystem": package.type, - "direct": package.direct, - "url": package.url, - "license": package.license, - "licenseDetails": package.licenseDetails, - "licenseAttrib": package.licenseAttrib, - "purl": package.purl, - } - all_packages[package.id] = output + all_packages = build_license_artifact_payload(diff) core.save_file(config.license_file_name, json.dumps(all_packages)) # If we forced API mode due to no supported files, behave as if --disable-blocking was set From 828f798a14b80823b8a62db84a205d778c27ed58 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 11 May 2026 14:55:34 -0400 Subject: [PATCH 08/33] update tests to check for missing data issues Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- tests/unit/test_output.py | 7 ++++++ tests/unit/test_socketcli.py | 47 ++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 tests/unit/test_socketcli.py diff --git a/tests/unit/test_output.py b/tests/unit/test_output.py index 9080f03..92c27e0 100644 --- a/tests/unit/test_output.py +++ b/tests/unit/test_output.py @@ -123,6 +123,13 @@ def test_sbom_file_saving(self, handler, tmp_path): handler.save_sbom_file(diff, str(sbom_path)) assert sbom_path.exists() + def test_sbom_file_saving_without_sbom_writes_empty_array(self, handler, tmp_path): + diff = Diff() + sbom_path = tmp_path / "empty.json" + handler.save_sbom_file(diff, str(sbom_path)) + assert sbom_path.exists() + assert json.loads(sbom_path.read_text()) == [] + def test_json_file_saving(self, tmp_path): from socketsecurity.config import CliConfig from unittest.mock import Mock diff --git a/tests/unit/test_socketcli.py b/tests/unit/test_socketcli.py new file mode 100644 index 0000000..e6f4e16 --- /dev/null +++ b/tests/unit/test_socketcli.py @@ -0,0 +1,47 @@ +from socketsecurity.core.classes import Diff, Package +from socketsecurity.socketcli import build_license_artifact_payload + + +def test_build_license_artifact_payload_without_packages_returns_empty_dict(): + diff = Diff() + + payload = build_license_artifact_payload(diff) + + assert payload == {} + + +def test_build_license_artifact_payload_serializes_package_fields(): + diff = Diff() + diff.packages = { + "pypi/requests@2.31.0": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + licenseDetails=[{"id": "Apache-2.0"}], + licenseAttrib=[{"id": "Apache-2.0"}], + purl="requests@2.31.0", + ) + } + + payload = build_license_artifact_payload(diff) + + assert payload == { + "pkg-1": { + "id": "pkg-1", + "name": "requests", + "version": "2.31.0", + "ecosystem": "pypi", + "direct": True, + "url": "https://socket.dev/pypi/package/requests/overview/2.31.0", + "license": "Apache-2.0", + "licenseDetails": [{"id": "Apache-2.0"}], + "licenseAttrib": [{"id": "Apache-2.0"}], + "purl": "requests@2.31.0", + } + } From d2bc9149fe0dd420b8b04b70363fb02dd62f2634 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 18 May 2026 14:46:29 -0400 Subject: [PATCH 09/33] add opt-in FOSSA-compatible legal artifact mode Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- socketsecurity/config.py | 29 ++- socketsecurity/fossa_compat.py | 353 +++++++++++++++++++++++++++++++++ socketsecurity/output.py | 4 + socketsecurity/socketcli.py | 18 +- 4 files changed, 400 insertions(+), 4 deletions(-) create mode 100644 socketsecurity/fossa_compat.py diff --git a/socketsecurity/config.py b/socketsecurity/config.py index c01a0db..ffaf5f4 100644 --- a/socketsecurity/config.py +++ b/socketsecurity/config.py @@ -141,6 +141,7 @@ class CliConfig: max_purl_batch_size: int = 5000 enable_commit_status: bool = False legal: bool = False + legal_format: str = "socket" config_file: Optional[str] = None @classmethod @@ -253,12 +254,13 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': 'reach_continue_on_no_source_files': args.reach_continue_on_no_source_files, 'max_purl_batch_size': args.max_purl_batch_size, 'enable_commit_status': args.enable_commit_status, - 'legal': args.legal, + 'legal': args.legal or args.legal_format == "fossa", + 'legal_format': args.legal_format, 'config_file': args.config_file, 'version': __version__ } - if args.legal: + if config_args['legal']: config_args['generate_license'] = True if not config_args['json_file']: config_args['json_file'] = "socket-report.json" @@ -270,6 +272,22 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig': config_args['sbom_file'] = "socket-sbom.json" if config_args['license_file_name'] == "license_output.json": config_args['license_file_name'] = "socket-license.json" + + if config_args['legal_format'] == "fossa": + if not args.json_file: + config_args['json_file'] = "fossa-analyze.json" + if not args.summary_file: + config_args['summary_file'] = "fossa-test.txt" + if not args.report_link_file: + config_args['report_link_file'] = "fossa-link.txt" + if not args.license_file_name: + # argparse always provides a default, so this branch is defensive only + config_args['license_file_name'] = "fossa-sbom.json" + elif args.license_file_name == "license_output.json": + config_args['license_file_name'] = "fossa-sbom.json" + if not args.sbom_file: + # FOSSA's "SBOM" artifact is the attribution payload; suppress the extra Socket-only SBOM file by default. + config_args['sbom_file'] = None excluded_ecosystems = config_args["excluded_ecosystems"] if isinstance(excluded_ecosystems, list): config_args["excluded_ecosystems"] = excluded_ecosystems @@ -791,6 +809,13 @@ def create_argument_parser() -> argparse.ArgumentParser: action="store_true", help="Enable legal/compliance-friendly defaults and file outputs" ) + advanced_group.add_argument( + "--legal-format", + dest="legal_format", + choices=["socket", "fossa"], + default="socket", + help="Select the legal artifact format. 'socket' keeps Socket-native outputs; 'fossa' emits compatibility-shaped JSON artifacts." + ) config_group.add_argument( "--include-module-folders", dest="include_module_folders", diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py new file mode 100644 index 0000000..4708096 --- /dev/null +++ b/socketsecurity/fossa_compat.py @@ -0,0 +1,353 @@ +from __future__ import annotations + +from typing import Any, Iterable, Optional + +from socketsecurity.config import CliConfig +from socketsecurity.core.classes import Diff, Issue, Package + + +LICENSE_ALERT_TYPES = {"licenseSpdxDisj"} +QUALITY_ALERT_PREFIXES = ("risk", "quality", "outdated", "unmaintained") + + +def _ecosystem_to_package_manager(ecosystem: Optional[str]) -> str: + mapping = { + "pypi": "pip", + "npm": "npm", + "maven": "maven", + "nuget": "nuget", + "gem": "gem", + "golang": "go", + "cargo": "cargo", + } + if not ecosystem: + return "unknown" + return mapping.get(ecosystem, ecosystem) + + +def _listify(value: Any) -> list[Any]: + if value is None: + return [] + if isinstance(value, list): + return value + return [value] + + +def _first_non_empty(*values: Any) -> Any: + for value in values: + if value not in (None, "", [], {}): + return value + return None + + +def _build_project_metadata(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + repo = getattr(config, "repo", None) or "socket-default-repo" + branch = getattr(config, "branch", None) or "socket-default-branch" + revision = getattr(diff_report, "id", None) or getattr(diff_report, "new_scan_id", None) or "unknown-revision" + report_url = getattr(diff_report, "report_url", None) or getattr(diff_report, "diff_url", None) + project_id = repo + return { + "branch": branch, + "id": f"{project_id}-{revision}", + "project": repo, + "projectId": project_id, + "revision": revision, + "url": report_url, + } + + +def _build_source_metadata(issue: Issue, package: Optional[Package]) -> dict[str, Any]: + package_type = _ecosystem_to_package_manager( + getattr(package, "type", None) or getattr(issue, "pkg_type", None) + ) + package_name = getattr(package, "name", None) or getattr(issue, "pkg_name", None) + package_version = getattr(package, "version", None) or getattr(issue, "pkg_version", None) + package_url = getattr(package, "url", None) or getattr(issue, "url", None) + return { + "id": f"{package_type}+{package_name}${package_version}", + "name": package_name, + "url": package_url, + "version": package_version, + "packageManager": package_type, + } + + +def _build_depths(package: Optional[Package]) -> dict[str, int]: + is_direct = bool(getattr(package, "direct", False)) + return { + "direct": 1 if is_direct else 0, + "deep": 0 if is_direct else 1, + } + + +def _build_statuses(issue: Issue) -> dict[str, int]: + is_ignored = bool(getattr(issue, "ignore", False)) + return { + "active": 0 if is_ignored else 1, + "ignored": 1 if is_ignored else 0, + } + + +def _build_projects_entry(project: dict[str, Any], package: Optional[Package]) -> list[dict[str, Any]]: + is_direct = bool(getattr(package, "direct", False)) + return [{ + "id": project["projectId"], + "status": "active", + "depth": 1 if is_direct else 2, + "title": project["project"], + "scannedAt": None, + "analyzedAt": None, + "url": project["url"], + "firstFoundAt": None, + "defaultBranch": project["branch"], + "latest": True, + "revisionId": f"{project['projectId']}${project['revision']}", + "revisionScanId": project["revision"], + }] + + +def _extract_cve(props: dict[str, Any]) -> Optional[str]: + cve = _first_non_empty(props.get("cveId"), props.get("cve")) + if isinstance(cve, list): + return cve[0] if cve else None + return cve + + +def _extract_float(*values: Any) -> Optional[float]: + value = _first_non_empty(*values) + if value is None: + return None + try: + return float(value) + except (TypeError, ValueError): + return None + + +def _extract_string_list(*values: Any) -> list[str]: + items = _listify(_first_non_empty(*values)) + output = [] + for item in items: + if isinstance(item, str) and item: + output.append(item) + return output + + +def _build_remediation(props: dict[str, Any]) -> dict[str, Any]: + partial_fix = _first_non_empty( + props.get("partialFix"), + props.get("fixedVersion"), + props.get("fixed_version"), + props.get("patchedVersion"), + props.get("patched_version"), + props.get("range"), + ) + complete_fix = _first_non_empty( + props.get("completeFix"), + props.get("fixedVersion"), + props.get("fixed_version"), + props.get("patchedVersion"), + props.get("patched_version"), + props.get("range"), + ) + return { + "partialFix": partial_fix, + "partialFixDistance": props.get("partialFixDistance"), + "completeFix": complete_fix, + "completeFixDistance": props.get("completeFixDistance"), + } + + +def _build_epss(props: dict[str, Any]) -> dict[str, Any]: + score = _extract_float(props.get("epssScore"), props.get("epss_score")) + percentile = _extract_float(props.get("epssPercentile"), props.get("epss_percentile")) + return { + "score": score, + "percentile": percentile, + } + + +def _build_metrics(props: dict[str, Any]) -> list[dict[str, Any]]: + metrics = props.get("metrics") + if isinstance(metrics, list): + return metrics + + metric_map = [ + ("Attack Vector", props.get("attackVector")), + ("Attack Complexity", props.get("attackComplexity")), + ("Privileges Required", props.get("privilegesRequired")), + ("User Interaction", props.get("userInteraction")), + ("Scope", props.get("scope")), + ("Confidentiality Impact", props.get("confidentialityImpact")), + ("Integrity Impact", props.get("integrityImpact")), + ("Availability Impact", props.get("availabilityImpact")), + ] + return [ + {"name": name, "value": value} + for name, value in metric_map + if value not in (None, "") + ] + + +def _extract_references(issue: Issue, props: dict[str, Any]) -> list[str]: + references = _listify(props.get("references")) + if props.get("url"): + references.append(props["url"]) + if getattr(issue, "url", None): + references.append(issue.url) + deduped = [] + seen = set() + for reference in references: + if not isinstance(reference, str) or not reference: + continue + if reference in seen: + continue + seen.add(reference) + deduped.append(reference) + return deduped + + +def _build_vulnerability_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + return { + "id": props.get("id") or f"socket-vulnerability-{index}", + "type": "vulnerability", + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "containerLayers": {"base": 0, "other": 0}, + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "vulnId": _first_non_empty(props.get("ghsaId"), props.get("cveId"), issue.key, f"socket-vuln-{index}"), + "title": getattr(issue, "title", None), + "cve": _extract_cve(props), + "cvss": _extract_float(props.get("cvssScore"), props.get("cvss")), + "severity": getattr(issue, "severity", "unknown"), + "details": _first_non_empty(getattr(issue, "description", None), props.get("overview"), props.get("note")), + "remediation": _build_remediation(props), + "metrics": _build_metrics(props), + "cveStatus": props.get("cveStatus"), + "cwes": _extract_string_list(props.get("cwes"), props.get("cwe")), + "published": props.get("published"), + "affectedVersionRanges": _extract_string_list(props.get("affectedVersionRanges"), props.get("affected_versions")), + "patchedVersionRanges": _extract_string_list(props.get("patchedVersionRanges"), props.get("patched_versions")), + "references": _extract_references(issue, props), + "cvssVector": props.get("cvssVector"), + "exploitability": props.get("exploitability"), + "epss": _build_epss(props), + "cpes": _extract_string_list(props.get("cpes")), + } + + +def _build_licensing_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + package_license = getattr(package, "license", None) + issue_type = "policy_conflict" + if not package_license: + issue_type = "unlicensed_dependency" + elif getattr(issue, "type", None) not in LICENSE_ALERT_TYPES: + issue_type = "policy_flag" + return { + "id": props.get("id") or f"socket-licensing-{index}", + "type": issue_type, + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "title": getattr(issue, "title", None) or "License Policy Violation", + "details": _first_non_empty(getattr(issue, "description", None), props.get("note"), package_license), + "license": package_license, + "identifiedLicense": package_license, + "references": _extract_references(issue, props), + } + + +def _build_quality_entry( + issue: Issue, package: Optional[Package], project: dict[str, Any], index: int +) -> dict[str, Any]: + props = getattr(issue, "props", {}) or {} + return { + "id": props.get("id") or f"socket-quality-{index}", + "type": getattr(issue, "type", None) or "quality_issue", + "createdAt": props.get("createdAt"), + "source": _build_source_metadata(issue, package), + "depths": _build_depths(package), + "statuses": _build_statuses(issue), + "projects": _build_projects_entry(project, package), + "url": getattr(issue, "url", None) or project["url"], + "title": getattr(issue, "title", None), + "details": _first_non_empty(getattr(issue, "description", None), props.get("note")), + "references": _extract_references(issue, props), + } + + +def _iter_selected_issues(diff_report: Diff, config: CliConfig) -> Iterable[Issue]: + yield from getattr(diff_report, "new_alerts", []) or [] + if getattr(config, "strict_blocking", False): + yield from getattr(diff_report, "unchanged_alerts", []) or [] + + +def _classify_issue(issue: Issue) -> str: + issue_type = (getattr(issue, "type", "") or "").lower() + category = (getattr(issue, "category", "") or "").lower() + if issue_type in LICENSE_ALERT_TYPES or "license" in issue_type or category == "licensing": + return "licensing" + if category == "quality" or issue_type.startswith(QUALITY_ALERT_PREFIXES): + return "quality" + return "vulnerability" + + +def build_fossa_report_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + project = _build_project_metadata(diff_report, config) + package_lookup = getattr(diff_report, "packages", {}) or {} + vulnerabilities = [] + licensing = [] + quality = [] + + for index, issue in enumerate(_iter_selected_issues(diff_report, config), start=1): + package = package_lookup.get(getattr(issue, "pkg_id", "")) if package_lookup else None + category = _classify_issue(issue) + if category == "licensing": + licensing.append(_build_licensing_entry(issue, package, project, index)) + elif category == "quality": + quality.append(_build_quality_entry(issue, package, project, index)) + else: + vulnerabilities.append(_build_vulnerability_entry(issue, package, project, index)) + + return { + "project": project, + "vulnerability": vulnerabilities, + "licensing": licensing, + "quality": quality, + } + + +def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + project = _build_project_metadata(diff_report, config) + packages = getattr(diff_report, "packages", {}) or {} + package_entries = [] + + for package in packages.values(): + package_entries.append({ + "id": package.id, + "name": package.name, + "version": package.version, + "ecosystem": _ecosystem_to_package_manager(package.type), + "direct": bool(getattr(package, "direct", False)), + "url": package.url, + "purl": package.purl, + "declaredLicense": package.license, + "licenseDetails": package.licenseDetails or [], + "licenseAttrib": package.licenseAttrib or [], + }) + + return { + "project": project, + "dependencies": package_entries, + } diff --git a/socketsecurity/output.py b/socketsecurity/output.py index 6761243..63fe565 100644 --- a/socketsecurity/output.py +++ b/socketsecurity/output.py @@ -5,6 +5,7 @@ from .core.messages import Messages from .core.classes import Diff, Issue from .config import CliConfig +from .fossa_compat import build_fossa_report_payload from socketsecurity.plugins.manager import PluginManager from socketsecurity.core.alert_selection import ( clone_diff_with_selected_alerts, @@ -268,6 +269,9 @@ def build_summary_text(self, diff_report: Diff) -> str: def build_json_report(self, diff_report: Diff) -> dict: """Build the JSON report payload for stdout and file output.""" + if getattr(self.config, "legal_format", "socket") == "fossa": + return build_fossa_report_payload(diff_report, self.config) + selected_alerts = select_diff_alerts(diff_report, strict_blocking=self.config.strict_blocking) selected_diff = clone_diff_with_selected_alerts(diff_report, selected_alerts) report = Messages.create_security_comment_json(selected_diff) diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index 34de8ec..86f5ff8 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -20,6 +20,7 @@ from socketsecurity.core.messages import Messages from socketsecurity.core.scm_comments import Comments from socketsecurity.core.socket_config import SocketConfig +from socketsecurity.fossa_compat import build_fossa_attribution_payload from socketsecurity.output import OutputHandler socket_logger, log = initialize_logging() @@ -27,8 +28,17 @@ load_dotenv() -def build_license_artifact_payload(diff: Diff) -> dict: +def build_license_artifact_payload( + diff: Diff, + legal_format: str = "socket", + config: CliConfig | None = None, +) -> dict: """Build the license artifact payload from a diff, tolerating sparse scan paths.""" + if legal_format == "fossa": + if config is None: + raise ValueError("config is required when building FOSSA-format legal artifacts") + return build_fossa_attribution_payload(diff, config) + all_packages = {} packages = getattr(diff, "packages", {}) or {} for purl in packages: @@ -765,7 +775,11 @@ def _is_unprocessed(c): # Handle license generation if not should_skip_scan and diff.id != "NO_DIFF_RAN" and diff.id != "NO_SCAN_RAN" and config.generate_license: - all_packages = build_license_artifact_payload(diff) + all_packages = build_license_artifact_payload( + diff, + legal_format=getattr(config, "legal_format", "socket"), + config=config, + ) core.save_file(config.license_file_name, json.dumps(all_packages)) # If we forced API mode due to no supported files, behave as if --disable-blocking was set From b28a0350408517b2b80cbb3e425fc9a2cc4dcd72 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 18 May 2026 14:46:50 -0400 Subject: [PATCH 10/33] cover FOSSA-compatible legal outputs/sample scenarios Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- tests/unit/test_cli_config.py | 21 +++++- tests/unit/test_fossa_compat.py | 111 ++++++++++++++++++++++++++++++++ tests/unit/test_output.py | 103 ++++++++++++++++++++++++++++- tests/unit/test_socketcli.py | 62 ++++++++++++++++++ 4 files changed, 295 insertions(+), 2 deletions(-) create mode 100644 tests/unit/test_fossa_compat.py diff --git a/tests/unit/test_cli_config.py b/tests/unit/test_cli_config.py index 295ad5f..27801ec 100644 --- a/tests/unit/test_cli_config.py +++ b/tests/unit/test_cli_config.py @@ -7,8 +7,15 @@ def test_api_token_from_env(self, monkeypatch): config = CliConfig.from_args([]) # Empty args list assert config.api_token == "test-token" - def test_required_args(self): + def test_required_args(self, monkeypatch): """Test that api token is required if not in environment""" + for env_var in ( + "SOCKET_SECURITY_API_KEY", + "SOCKET_SECURITY_API_TOKEN", + "SOCKET_API_KEY", + "SOCKET_API_TOKEN", + ): + monkeypatch.delenv(env_var, raising=False) with pytest.raises(ValueError, match="API token is required"): config = CliConfig.from_args([]) if not config.api_token: @@ -86,6 +93,7 @@ def test_workspace_is_independent_of_workspace_name(self): def test_legal_flag_sets_default_artifact_files(self): config = CliConfig.from_args(["--api-token", "test", "--legal"]) assert config.legal is True + assert config.legal_format == "socket" assert config.generate_license is True assert config.json_file == "socket-report.json" assert config.summary_file == "socket-summary.txt" @@ -108,3 +116,14 @@ def test_legal_flag_preserves_explicit_file_paths(self): assert config.report_link_file == "custom-link.txt" assert config.sbom_file == "custom-sbom.json" assert config.license_file_name == "custom-license.json" + + def test_fossa_legal_format_enables_legal_defaults(self): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + assert config.legal is True + assert config.legal_format == "fossa" + assert config.generate_license is True + assert config.json_file == "fossa-analyze.json" + assert config.summary_file == "fossa-test.txt" + assert config.report_link_file == "fossa-link.txt" + assert config.sbom_file is None + assert config.license_file_name == "fossa-sbom.json" diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py new file mode 100644 index 0000000..65c2a20 --- /dev/null +++ b/tests/unit/test_fossa_compat.py @@ -0,0 +1,111 @@ +import json +from pathlib import Path + +from socketsecurity.config import CliConfig +from socketsecurity.core.classes import Diff, Issue, Package +from socketsecurity.fossa_compat import build_fossa_report_payload + + +FIXTURE_DIR = Path("/Users/lelia/github/fossa/DependencyScan/Fossa/validation-pipeline") + + +def test_fossa_report_payload_matches_sample_top_level_shape(): + sample = json.loads( + (FIXTURE_DIR / "fossa-analyze-11464165-job-011e1ec8-6569-5e69-4f06-baf193d1351e_03172026132742.json").read_text() + ) + + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") + + payload = build_fossa_report_payload(diff, config) + + assert list(payload.keys()) == list(sample.keys()) + assert sorted(payload["project"].keys()) == sorted(sample["project"].keys()) + assert payload["vulnerability"] == [] + assert payload["licensing"] == [] + assert payload["quality"] == [] + + +def test_fossa_report_payload_vulnerability_keys_cover_sample_shape(): + sample = json.loads( + (FIXTURE_DIR / "fossa-analyze-11464165-job-7f33e5bd-7764-5d8a-ba2e-506e078b9c3f_03172026132955.json").read_text() + ) + sample_vulnerability = sample["vulnerability"][0] + + config = CliConfig.from_args([ + "--api-token", "test", + "--legal-format", "fossa", + "--repo", "owner/repo", + "--branch", "refs/heads/main", + ]) + diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") + diff.packages = { + "pkg-1": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://requests.readthedocs.io/", + license="Apache-2.0", + purl="pkg:pypi/requests@2.31.0", + ) + } + diff.new_alerts = [ + Issue( + title="Insufficiently Protected Credentials", + severity="medium", + description="Requests may leak credentials for crafted URLs.", + error=True, + key="GHSA-9hjg-9r4m-mvj7", + type="vulnerability", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/pypi/package/requests/alerts/2.31.0", + props={ + "id": 11088938, + "createdAt": "2025-10-08T10:41:05.933Z", + "ghsaId": "GHSA-9hjg-9r4m-mvj7", + "cveId": "CVE-2024-47081", + "cvssScore": 5.3, + "fixedVersion": "2.32.4", + "partialFixDistance": "MINOR", + "completeFixDistance": "MINOR", + "attackVector": "Network", + "attackComplexity": "High", + "privilegesRequired": "None", + "userInteraction": "Required", + "scope": "Unchanged", + "confidentialityImpact": "High", + "integrityImpact": "None", + "availabilityImpact": "None", + "cveStatus": "COMPLETED", + "cwes": ["CWE-522"], + "published": "2025-06-09T19:06:08Z", + "affectedVersionRanges": ["<2.32.4"], + "patchedVersionRanges": ["2.32.4"], + "references": ["https://github.com/advisories/GHSA-9hjg-9r4m-mvj7"], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epssScore": 0.00154, + "epssPercentile": 0.35957, + "cpes": [], + }, + ) + ] + + payload = build_fossa_report_payload(diff, config) + generated_vulnerability = payload["vulnerability"][0] + + assert sorted(generated_vulnerability.keys()) == sorted(sample_vulnerability.keys()) + assert generated_vulnerability["source"]["packageManager"] == sample_vulnerability["source"]["packageManager"] + assert sorted(generated_vulnerability["source"].keys()) == sorted(sample_vulnerability["source"].keys()) + assert sorted(generated_vulnerability["depths"].keys()) == sorted(sample_vulnerability["depths"].keys()) + assert sorted(generated_vulnerability["statuses"].keys()) == sorted(sample_vulnerability["statuses"].keys()) + assert sorted(generated_vulnerability["remediation"].keys()) == sorted(sample_vulnerability["remediation"].keys()) + assert sorted(generated_vulnerability["epss"].keys()) == sorted(sample_vulnerability["epss"].keys()) diff --git a/tests/unit/test_output.py b/tests/unit/test_output.py index 92c27e0..c5f2e02 100644 --- a/tests/unit/test_output.py +++ b/tests/unit/test_output.py @@ -1,6 +1,6 @@ import pytest from socketsecurity.output import OutputHandler -from socketsecurity.core.classes import Diff, Issue +from socketsecurity.core.classes import Diff, Issue, Package import json class TestOutputHandler: @@ -144,6 +144,7 @@ def test_json_file_saving(self, tmp_path): config.report_link_file = None config.sbom_file = None config.legal = True + config.legal_format = "socket" config.repo = "owner/repo" config.branch = "main" config.commit_sha = "abc123" @@ -199,6 +200,7 @@ def test_summary_and_report_link_files_are_written(self, tmp_path): config.report_link_file = str(report_link_path) config.sbom_file = None config.legal = False + config.legal_format = "socket" config.repo = None config.branch = "" config.commit_sha = "" @@ -235,6 +237,105 @@ def test_summary_and_report_link_files_are_written(self, tmp_path): assert "Security issues detected by Socket Security:" in summary_path.read_text() assert report_link_path.read_text().strip() == "https://socket.dev/report/123" + def test_json_file_saving_in_fossa_format(self, tmp_path): + from socketsecurity.config import CliConfig + from unittest.mock import Mock + + json_path = tmp_path / "fossa-report.json" + + config = Mock(spec=CliConfig) + config.disable_blocking = False + config.strict_blocking = False + config.json_file = str(json_path) + config.summary_file = None + config.report_link_file = None + config.sbom_file = None + config.legal = True + config.legal_format = "fossa" + config.repo = "owner/repo" + config.branch = "refs/heads/main" + config.commit_sha = "abc123" + config.enable_json = False + config.enable_sarif = False + config.enable_gitlab_security = False + config.enable_debug = False + + handler = OutputHandler(config, Mock()) + + diff = Diff() + diff.id = "scan-123" + diff.report_url = "https://socket.dev/report/123" + diff.packages = { + "pkg-1": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + purl="pkg:pypi/requests@2.31.0", + ) + } + diff.new_alerts = [ + Issue( + title="Prototype Pollution", + severity="high", + description="Upgrade to a fixed version.", + error=True, + key="alert-1", + type="vulnerability", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/npm/package/requests/alerts/2.31.0", + props={ + "ghsaId": "GHSA-1234", + "cveId": "CVE-2026-1234", + "cvssScore": 8.2, + "fixedVersion": "2.31.1", + "references": ["https://github.com/advisories/GHSA-1234"], + }, + ), + Issue( + title="License Policy Violation", + severity="medium", + description="Package license violates policy.", + warn=True, + key="license-1", + type="licenseSpdxDisj", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.31.0", + pkg_id="pkg-1", + purl="pkg:pypi/requests@2.31.0", + url="https://socket.dev/pypi/package/requests/license/2.31.0", + ), + ] + + handler.save_json_file(diff, str(json_path)) + + saved = json.loads(json_path.read_text()) + assert saved["project"] == { + "branch": "refs/heads/main", + "id": "owner/repo-scan-123", + "project": "owner/repo", + "projectId": "owner/repo", + "revision": "scan-123", + "url": "https://socket.dev/report/123", + } + assert len(saved["vulnerability"]) == 1 + assert saved["vulnerability"][0]["vulnId"] == "GHSA-1234" + assert saved["vulnerability"][0]["cve"] == "CVE-2026-1234" + assert saved["vulnerability"][0]["source"]["packageManager"] == "pip" + assert saved["vulnerability"][0]["remediation"]["completeFix"] == "2.31.1" + assert saved["licensing"][0]["type"] == "policy_conflict" + assert saved["quality"] == [] + def test_report_pass_with_strict_blocking_new_alerts(self): """Test that strict-blocking fails on new blocking alerts""" from socketsecurity.config import CliConfig diff --git a/tests/unit/test_socketcli.py b/tests/unit/test_socketcli.py index e6f4e16..67d7114 100644 --- a/tests/unit/test_socketcli.py +++ b/tests/unit/test_socketcli.py @@ -45,3 +45,65 @@ def test_build_license_artifact_payload_serializes_package_fields(): "purl": "requests@2.31.0", } } + + +def test_build_license_artifact_payload_fossa_format_without_packages(): + class Config: + repo = "owner/repo" + branch = "main" + + diff = Diff(id="scan-1", report_url="https://socket.dev/report/1") + + payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) + + assert payload == { + "project": { + "branch": "main", + "id": "owner/repo-scan-1", + "project": "owner/repo", + "projectId": "owner/repo", + "revision": "scan-1", + "url": "https://socket.dev/report/1", + }, + "dependencies": [], + } + + +def test_build_license_artifact_payload_fossa_format_serializes_dependencies(): + class Config: + repo = "owner/repo" + branch = "main" + + diff = Diff(id="scan-1", report_url="https://socket.dev/report/1") + diff.packages = { + "pkg:pypi/requests@2.31.0": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + licenseDetails=[{"id": "Apache-2.0"}], + licenseAttrib=[{"id": "Apache-2.0"}], + purl="pkg:pypi/requests@2.31.0", + ) + } + + payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) + + assert payload["project"]["projectId"] == "owner/repo" + assert payload["dependencies"] == [{ + "id": "pkg-1", + "name": "requests", + "version": "2.31.0", + "ecosystem": "pip", + "direct": True, + "url": "https://socket.dev/pypi/package/requests/overview/2.31.0", + "purl": "pkg:pypi/requests@2.31.0", + "declaredLicense": "Apache-2.0", + "licenseDetails": [{"id": "Apache-2.0"}], + "licenseAttrib": [{"id": "Apache-2.0"}], + }] From ec138e262a0b8e785f8fca3c951a0bab27f4ca46 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 18 May 2026 14:47:18 -0400 Subject: [PATCH 11/33] update README docs to include FOSSA compatibility mode Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 97519bd..9a6e6d8 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,22 @@ This preset enables license generation and writes default artifacts unless you o - `socket-sbom.json` - `socket-license.json` +FOSSA-compatibility shaped legal artifacts: + +```bash +socketcli --legal-format fossa --target-path . +``` + +This switches the JSON report and legal artifact payloads to FOSSA-style compatibility shapes: +- the analyze artifact becomes a `project` / `vulnerability` / `licensing` / `quality` report +- the SBOM artifact becomes a `project` / `dependencies` attribution-style payload + +When `--legal-format fossa` is used without explicit output paths, the defaults are closer to the FOSSA pipeline contract: +- `fossa-analyze.json` +- `fossa-test.txt` +- `fossa-link.txt` +- `fossa-sbom.json` + Reference sample configs: TOML: From d2859f9b30930da57088039bd74676361165ec60 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 18 May 2026 19:15:48 -0400 Subject: [PATCH 12/33] bump version for release Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- pyproject.toml | 2 +- socketsecurity/__init__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 50b0518..4b7f380 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "hatchling.build" [project] name = "socketsecurity" -version = "2.2.88" +version = "2.2.89" requires-python = ">= 3.11" license = {"file" = "LICENSE"} dependencies = [ diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index a7dcdfb..9547cf5 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,3 +1,3 @@ __author__ = 'socket.dev' -__version__ = '2.2.88' +__version__ = '2.2.89' USER_AGENT = f'SocketPythonCLI/{__version__}' From 38433afa5ae206e41f368f37bb78d3244c9455ae Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Mon, 18 May 2026 19:17:15 -0400 Subject: [PATCH 13/33] update uv lockfile version Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- uv.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uv.lock b/uv.lock index 5a67fa0..3266b98 100644 --- a/uv.lock +++ b/uv.lock @@ -1168,7 +1168,7 @@ wheels = [ [[package]] name = "socketsecurity" -version = "2.2.87" +version = "2.2.89" source = { editable = "." } dependencies = [ { name = "bs4" }, From f0037683ee00a8595d6ea5b4a9ea36b81c9f19db Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Thu, 21 May 2026 14:40:52 -0400 Subject: [PATCH 14/33] fix compatibility unit tests Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- tests/unit/test_fossa_compat.py | 126 +++++++++++++++++++++++++------- 1 file changed, 101 insertions(+), 25 deletions(-) diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 65c2a20..4e0b7c2 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -1,37 +1,68 @@ -import json -from pathlib import Path - from socketsecurity.config import CliConfig from socketsecurity.core.classes import Diff, Issue, Package -from socketsecurity.fossa_compat import build_fossa_report_payload - +from socketsecurity.fossa_compat import ( + build_fossa_attribution_payload, + build_fossa_report_payload, +) -FIXTURE_DIR = Path("/Users/lelia/github/fossa/DependencyScan/Fossa/validation-pipeline") +EXPECTED_TOP_LEVEL_KEYS = ["project", "vulnerability", "licensing", "quality"] +EXPECTED_PROJECT_KEYS = ["branch", "id", "project", "projectId", "revision", "url"] +EXPECTED_VULNERABILITY_KEYS = [ + "affectedVersionRanges", + "containerLayers", + "cpes", + "createdAt", + "cve", + "cveStatus", + "cwes", + "cvss", + "cvssVector", + "depths", + "details", + "epss", + "exploitability", + "id", + "metrics", + "patchedVersionRanges", + "projects", + "published", + "references", + "remediation", + "severity", + "source", + "statuses", + "title", + "type", + "url", + "vulnId", +] +EXPECTED_SOURCE_KEYS = ["id", "name", "packageManager", "url", "version"] +EXPECTED_DEPTH_KEYS = ["deep", "direct"] +EXPECTED_STATUS_KEYS = ["active", "ignored"] +EXPECTED_REMEDIATION_KEYS = [ + "completeFix", + "completeFixDistance", + "partialFix", + "partialFixDistance", +] +EXPECTED_EPSS_KEYS = ["percentile", "score"] -def test_fossa_report_payload_matches_sample_top_level_shape(): - sample = json.loads( - (FIXTURE_DIR / "fossa-analyze-11464165-job-011e1ec8-6569-5e69-4f06-baf193d1351e_03172026132742.json").read_text() - ) +def test_fossa_report_payload_uses_expected_top_level_shape(): config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") payload = build_fossa_report_payload(diff, config) - assert list(payload.keys()) == list(sample.keys()) - assert sorted(payload["project"].keys()) == sorted(sample["project"].keys()) + assert list(payload.keys()) == EXPECTED_TOP_LEVEL_KEYS + assert sorted(payload["project"].keys()) == sorted(EXPECTED_PROJECT_KEYS) assert payload["vulnerability"] == [] assert payload["licensing"] == [] assert payload["quality"] == [] -def test_fossa_report_payload_vulnerability_keys_cover_sample_shape(): - sample = json.loads( - (FIXTURE_DIR / "fossa-analyze-11464165-job-7f33e5bd-7764-5d8a-ba2e-506e078b9c3f_03172026132955.json").read_text() - ) - sample_vulnerability = sample["vulnerability"][0] - +def test_fossa_report_payload_vulnerability_shape_is_stable(): config = CliConfig.from_args([ "--api-token", "test", "--legal-format", "fossa", @@ -102,10 +133,55 @@ def test_fossa_report_payload_vulnerability_keys_cover_sample_shape(): payload = build_fossa_report_payload(diff, config) generated_vulnerability = payload["vulnerability"][0] - assert sorted(generated_vulnerability.keys()) == sorted(sample_vulnerability.keys()) - assert generated_vulnerability["source"]["packageManager"] == sample_vulnerability["source"]["packageManager"] - assert sorted(generated_vulnerability["source"].keys()) == sorted(sample_vulnerability["source"].keys()) - assert sorted(generated_vulnerability["depths"].keys()) == sorted(sample_vulnerability["depths"].keys()) - assert sorted(generated_vulnerability["statuses"].keys()) == sorted(sample_vulnerability["statuses"].keys()) - assert sorted(generated_vulnerability["remediation"].keys()) == sorted(sample_vulnerability["remediation"].keys()) - assert sorted(generated_vulnerability["epss"].keys()) == sorted(sample_vulnerability["epss"].keys()) + assert sorted(generated_vulnerability.keys()) == sorted(EXPECTED_VULNERABILITY_KEYS) + assert sorted(generated_vulnerability["source"].keys()) == sorted(EXPECTED_SOURCE_KEYS) + assert sorted(generated_vulnerability["depths"].keys()) == sorted(EXPECTED_DEPTH_KEYS) + assert sorted(generated_vulnerability["statuses"].keys()) == sorted(EXPECTED_STATUS_KEYS) + assert sorted(generated_vulnerability["remediation"].keys()) == sorted(EXPECTED_REMEDIATION_KEYS) + assert sorted(generated_vulnerability["epss"].keys()) == sorted(EXPECTED_EPSS_KEYS) + assert generated_vulnerability["source"]["packageManager"] == "pip" + assert generated_vulnerability["vulnId"] == "GHSA-9hjg-9r4m-mvj7" + assert generated_vulnerability["cve"] == "CVE-2024-47081" + + +def test_fossa_attribution_payload_shape_is_stable(): + config = CliConfig.from_args([ + "--api-token", "test", + "--legal-format", "fossa", + "--repo", "owner/repo", + "--branch", "refs/heads/main", + ]) + diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") + diff.packages = { + "pkg-1": Package( + id="pkg-1", + name="requests", + version="2.31.0", + type="pypi", + score={}, + alerts=[], + direct=True, + url="https://socket.dev/pypi/package/requests/overview/2.31.0", + license="Apache-2.0", + licenseDetails=[{"id": "Apache-2.0"}], + licenseAttrib=[{"id": "Apache-2.0"}], + purl="pkg:pypi/requests@2.31.0", + ) + } + + payload = build_fossa_attribution_payload(diff, config) + + assert sorted(payload.keys()) == ["dependencies", "project"] + assert sorted(payload["project"].keys()) == sorted(EXPECTED_PROJECT_KEYS) + assert payload["dependencies"] == [{ + "id": "pkg-1", + "name": "requests", + "version": "2.31.0", + "ecosystem": "pip", + "direct": True, + "url": "https://socket.dev/pypi/package/requests/overview/2.31.0", + "purl": "pkg:pypi/requests@2.31.0", + "declaredLicense": "Apache-2.0", + "licenseDetails": [{"id": "Apache-2.0"}], + "licenseAttrib": [{"id": "Apache-2.0"}], + }] From 88bdb969040c34036bc4f05f87ab9d10f8e18a32 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Thu, 21 May 2026 15:49:48 -0400 Subject: [PATCH 15/33] bump version for release Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- pyproject.toml | 2 +- socketsecurity/__init__.py | 2 +- uv.lock | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 4b7f380..137b98d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "hatchling.build" [project] name = "socketsecurity" -version = "2.2.89" +version = "2.2.91" requires-python = ">= 3.11" license = {"file" = "LICENSE"} dependencies = [ diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index 9547cf5..7fdf737 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,3 +1,3 @@ __author__ = 'socket.dev' -__version__ = '2.2.89' +__version__ = '2.2.91' USER_AGENT = f'SocketPythonCLI/{__version__}' diff --git a/uv.lock b/uv.lock index 3266b98..1fce21b 100644 --- a/uv.lock +++ b/uv.lock @@ -1168,7 +1168,7 @@ wheels = [ [[package]] name = "socketsecurity" -version = "2.2.89" +version = "2.2.90" source = { editable = "." } dependencies = [ { name = "bs4" }, From 0462b77aa0f652ba425c53a25bea4283b9b7fb52 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Thu, 21 May 2026 15:50:29 -0400 Subject: [PATCH 16/33] fix version check sync logic to check pypi properly Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/workflows/version-check.yml | 45 ++++++++++++++++----- .hooks/sync_version.py | 63 +++++++++++++++++++++++++---- uv.lock | 2 +- 3 files changed, 93 insertions(+), 17 deletions(-) diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 7c18905..1eefa27 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -35,16 +35,43 @@ jobs: MAIN_VERSION=$(git show origin/main:socketsecurity/__init__.py | grep -o "__version__.*" | awk '{print $3}' | tr -d "'") echo "MAIN_VERSION=$MAIN_VERSION" >> $GITHUB_ENV - # Compare versions using Python - python3 -c " + export PR_VERSION + export MAIN_VERSION + + # Compare against both main and latest published PyPI release. + python3 <<'PY' + import json + import os + import urllib.request from packaging import version - pr_ver = version.parse('${PR_VERSION}') - main_ver = version.parse('${MAIN_VERSION}') - if pr_ver <= main_ver: - print(f'❌ Version must be incremented! Main: {main_ver}, PR: {pr_ver}') - exit(1) - print(f'✅ Version properly incremented from {main_ver} to {pr_ver}') - " + + pr_ver = version.parse(os.environ["PR_VERSION"]) + main_ver = version.parse(os.environ["MAIN_VERSION"]) + + with urllib.request.urlopen("https://pypi.org/pypi/socketsecurity/json") as response: + pypi_data = json.load(response) + + published_versions = [] + for raw in pypi_data.get("releases", {}).keys(): + parsed = version.parse(raw) + if not parsed.is_prerelease and not parsed.is_devrelease: + published_versions.append(parsed) + + pypi_ver = max(published_versions) if published_versions else version.parse("0.0.0") + required_floor = max(main_ver, pypi_ver) + + if pr_ver <= required_floor: + print( + f"❌ Version must be greater than main and PyPI! " + f"Main: {main_ver}, PyPI: {pypi_ver}, PR: {pr_ver}" + ) + raise SystemExit(1) + + print( + f"✅ Version properly incremented. " + f"Main: {main_ver}, PyPI: {pypi_ver}, PR: {pr_ver}" + ) + PY - name: Require uv.lock update when pyproject changes run: | diff --git a/.hooks/sync_version.py b/.hooks/sync_version.py index 4abf179..57b29d3 100644 --- a/.hooks/sync_version.py +++ b/.hooks/sync_version.py @@ -12,7 +12,9 @@ VERSION_PATTERN = re.compile(r"__version__\s*=\s*['\"]([^'\"]+)['\"]") PYPROJECT_PATTERN = re.compile(r'^version\s*=\s*".*"$', re.MULTILINE) -PYPI_API = "https://test.pypi.org/pypi/socketsecurity/json" +STABLE_VERSION_PATTERN = re.compile(r"^\d+\.\d+\.\d+$") +PYPI_PROD_API = "https://pypi.org/pypi/socketsecurity/json" +PYPI_TEST_API = "https://test.pypi.org/pypi/socketsecurity/json" def read_version_from_init(path: pathlib.Path) -> str: content = path.read_text() @@ -39,17 +41,39 @@ def bump_patch_version(version: str) -> str: parts[-1] = str(int(parts[-1]) + 1) return ".".join(parts) -def fetch_existing_versions() -> set: +def parse_stable_version(version: str): + if not STABLE_VERSION_PATTERN.fullmatch(version): + return None + return tuple(int(part) for part in version.split(".")) + + +def format_stable_version(version_parts) -> str: + return ".".join(str(part) for part in version_parts) + + +def fetch_existing_versions(api_url: str) -> set: try: - with urllib.request.urlopen(PYPI_API) as response: + with urllib.request.urlopen(api_url) as response: data = json.load(response) return set(data.get("releases", {}).keys()) except Exception as e: - print(f"⚠️ Warning: Failed to fetch existing versions from Test PyPI: {e}") + print(f"⚠️ Warning: Failed to fetch versions from {api_url}: {e}") return set() + +def fetch_latest_stable_pypi_version(): + versions = fetch_existing_versions(PYPI_PROD_API) + stable_versions = [] + for ver in versions: + parsed = parse_stable_version(ver) + if parsed is not None: + stable_versions.append(parsed) + if not stable_versions: + return None + return max(stable_versions) + def find_next_available_dev_version(base_version: str) -> str: - existing_versions = fetch_existing_versions() + existing_versions = fetch_existing_versions(PYPI_TEST_API) for i in range(1, 100): candidate = f"{base_version}.dev{i}" if candidate not in existing_versions: @@ -57,6 +81,19 @@ def find_next_available_dev_version(base_version: str) -> str: print("❌ Could not find available .devN slot after 100 attempts.") sys.exit(1) + +def find_next_stable_patch_version(current_version: str) -> str: + current_stable = current_version.split(".dev")[0] if ".dev" in current_version else current_version + current_parts = parse_stable_version(current_stable) + if current_parts is None: + print(f"❌ Unsupported version format for stable bump: {current_version}") + sys.exit(1) + + latest_pypi_parts = fetch_latest_stable_pypi_version() + base_parts = max([current_parts, latest_pypi_parts] if latest_pypi_parts else [current_parts]) + next_parts = (base_parts[0], base_parts[1], base_parts[2] + 1) + return format_stable_version(next_parts) + def inject_version(version: str): print(f"🔁 Updating version to: {version}") @@ -105,13 +142,25 @@ def main(): print(f"⚠️ Version was unchanged — auto-bumped. Please git add{lock_hint} + commit again.") sys.exit(0) else: - new_version = bump_patch_version(current_version) + new_version = find_next_stable_patch_version(current_version) inject_version(new_version) uv_lock_changed = run_uv_lock() lock_hint = " and uv.lock" if uv_lock_changed else "" - print(f"⚠️ Version was unchanged — auto-bumped. Please git add{lock_hint} + commit again.") + print(f"⚠️ Version was unchanged — auto-bumped to {new_version}. Please git add{lock_hint} + commit again.") sys.exit(1) else: + if not dev_mode: + current_parts = parse_stable_version(current_version) + latest_pypi_parts = fetch_latest_stable_pypi_version() + if current_parts is not None and latest_pypi_parts is not None and current_parts <= latest_pypi_parts: + next_parts = (latest_pypi_parts[0], latest_pypi_parts[1], latest_pypi_parts[2] + 1) + new_version = format_stable_version(next_parts) + inject_version(new_version) + uv_lock_changed = run_uv_lock() + lock_hint = " and uv.lock" if uv_lock_changed else "" + print(f"⚠️ Version {current_version} is already published on PyPI — auto-bumped to {new_version}. Please git add{lock_hint} + commit again.") + sys.exit(1) + uv_lock_changed = run_uv_lock() if uv_lock_changed: print("⚠️ Version already bumped, but uv.lock was out of date and has been updated. Please git add uv.lock + commit again.") diff --git a/uv.lock b/uv.lock index 1fce21b..f8d6a54 100644 --- a/uv.lock +++ b/uv.lock @@ -1168,7 +1168,7 @@ wheels = [ [[package]] name = "socketsecurity" -version = "2.2.90" +version = "2.2.91" source = { editable = "." } dependencies = [ { name = "bs4" }, From fb58cd8c9453a12052567a1ed17a70d9a83ac2c8 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:23:31 -0700 Subject: [PATCH 17/33] test: add FOSSA reference fixtures and parity harness --- tests/fixtures/fossa/README.md | 10 + tests/fixtures/fossa/fossa-analyze-empty.json | 13 + .../fossa/fossa-analyze-populated.json | 1275 +++++++++++++++++ .../fixtures/fossa/fossa-sbom-empty-deep.json | 1 + .../fixtures/fossa/fossa-sbom-populated.json | 1 + tests/unit/test_fossa_parity.py | 47 + 6 files changed, 1347 insertions(+) create mode 100644 tests/fixtures/fossa/README.md create mode 100644 tests/fixtures/fossa/fossa-analyze-empty.json create mode 100644 tests/fixtures/fossa/fossa-analyze-populated.json create mode 100644 tests/fixtures/fossa/fossa-sbom-empty-deep.json create mode 100644 tests/fixtures/fossa/fossa-sbom-populated.json create mode 100644 tests/unit/test_fossa_parity.py diff --git a/tests/fixtures/fossa/README.md b/tests/fixtures/fossa/README.md new file mode 100644 index 0000000..72b3401 --- /dev/null +++ b/tests/fixtures/fossa/README.md @@ -0,0 +1,10 @@ +# FOSSA reference fixtures + +Captured from a UiPath Azure DevOps pipeline (CE-199, build 12109922) for parity testing. + +- `fossa-analyze-populated.json` — composed FOSSA analyze artifact with 11 vulnerabilities. +- `fossa-analyze-empty.json` — composed FOSSA analyze artifact with zero vulnerabilities. +- `fossa-sbom-populated.json` — `fossa report --json attribution` output with direct + deep dependencies. +- `fossa-sbom-empty-deep.json` — attribution output with empty `deepDependencies`. + +Source assets retained at `assets/` (gitignored) for reference. These four files are the structural-parity baseline. diff --git a/tests/fixtures/fossa/fossa-analyze-empty.json b/tests/fixtures/fossa/fossa-analyze-empty.json new file mode 100644 index 0000000..114c0c8 --- /dev/null +++ b/tests/fixtures/fossa/fossa-analyze-empty.json @@ -0,0 +1,13 @@ +{ + "project": { + "branch": "refs/heads/master", + "id": "custom+6060/DevTools-Validation-Pipeline-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", + "project": "6060/DevTools-Validation-Pipeline", + "projectId": "custom+6060/DevTools-Validation-Pipeline", + "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", + "url": "https://app.fossa.com/account/saml/6060?next=/projects/custom%252b6060%252fDevTools-Validation-Pipeline/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux" + }, + "vulnerability": [], + "licensing": [], + "quality": [] +} diff --git a/tests/fixtures/fossa/fossa-analyze-populated.json b/tests/fixtures/fossa/fossa-analyze-populated.json new file mode 100644 index 0000000..5d0d5f5 --- /dev/null +++ b/tests/fixtures/fossa/fossa-analyze-populated.json @@ -0,0 +1,1275 @@ +{ + "project": { + "branch": "refs/heads/master", + "id": "custom+6060/DevTools-Validation-Pipeline-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "project": "6060/DevTools-Validation-Pipeline", + "projectId": "custom+6060/DevTools-Validation-Pipeline", + "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "url": "https://app.fossa.com/account/saml/6060?next=/projects/custom%252b6060%252fDevTools-Validation-Pipeline/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux" + }, + "vulnerability": [ + { + "id": 11088939, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+certifi$2023.11.17", + "name": "certifi", + "url": "https://github.com/certifi/python-certifi", + "version": "2023.11.17", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 2, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088939?revisionScanId=106820047", + "vulnId": "CVE-2024-39689_pip+certifi", + "title": "Insufficient Verification of Data Authenticity", + "cve": "CVE-2024-39689", + "cvss": 7.5, + "severity": "high", + "details": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\"", + "remediation": { + "partialFix": "2024.7.4", + "partialFixDistance": "MAJOR", + "completeFix": "2024.7.4", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-345" + ], + "published": "2024-07-05T19:15:10Z", + "affectedVersionRanges": [ + ">=2021.5.30,<2024.7.4" + ], + "patchedVersionRanges": [ + "2024.7.4" + ], + "references": [ + "https://github.com/advisories/GHSA-248v-346w-9cwc", + "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", + "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", + "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2024-230.yaml", + "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI", + "https://pypi.org/project/certifi/", + "https://security.netapp.com/advisory/ntap-20241206-0001", + "https://security.netapp.com/advisory/ntap-20241206-0001/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.21233, + "percentile": 0.95751 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 11088937, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+idna$3.6", + "name": "idna", + "url": "https://pypi.org/project/idna/", + "version": "3.6", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 2, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088937?revisionScanId=106820047", + "vulnId": "CVE-2024-3651_pip+idna", + "title": "Uncontrolled Resource Consumption", + "cve": "CVE-2024-3651", + "cvss": 7.5, + "severity": "high", + "details": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", + "remediation": { + "partialFix": "3.7", + "completeFix": "3.7" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-400", + "CWE-1333" + ], + "published": "2024-07-07T18:15:00Z", + "affectedVersionRanges": [ + "<3.7" + ], + "patchedVersionRanges": [ + "3.7" + ], + "references": [ + "https://github.com/advisories/GHSA-jjg7-2v4v-x38h", + "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d", + "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h", + "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml", + "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb", + "https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43", + "https://pypi.org/project/idna/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.0067, + "percentile": 0.71572 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 15980738, + "type": "vulnerability", + "createdAt": "2026-05-20T14:40:25.221Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 1, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2026-05-20T14:40:25.221+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/15980738?revisionScanId=106820047", + "vulnId": "CVE-2026-25645_pip+requests", + "title": "Insecure Temporary File", + "cve": "CVE-2026-25645", + "cvss": 4.4, + "severity": "medium", + "details": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.", + "remediation": { + "partialFix": "2.33.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Local" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "Low" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "None" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-377" + ], + "published": "2026-03-25T17:16:52Z", + "affectedVersionRanges": [ + "<2.33.0" + ], + "patchedVersionRanges": [ + "2.33.0" + ], + "references": [ + "https://github.com/advisories/GHSA-gc5v-m9x4-r6x2", + "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", + "https://github.com/psf/requests/releases/tag/v2.33.0", + "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", + "https://pypi.org/project/requests/" + ], + "cvssVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 5E-05, + "percentile": 0.00232 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 11088938, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 1, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088938?revisionScanId=106820047", + "vulnId": "CVE-2024-47081_pip+requests", + "title": "Insufficiently Protected Credentials", + "cve": "CVE-2024-47081", + "cvss": 5.3, + "severity": "medium", + "details": "Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.", + "remediation": { + "partialFix": "2.32.4", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-522" + ], + "published": "2025-06-09T19:06:08Z", + "affectedVersionRanges": [ + "<2.32.4" + ], + "patchedVersionRanges": [ + "2.32.4" + ], + "references": [ + "http://seclists.org/fulldisclosure/2025/Jun/2", + "http://www.openwall.com/lists/oss-security/2025/06/03/11", + "http://www.openwall.com/lists/oss-security/2025/06/03/9", + "http://www.openwall.com/lists/oss-security/2025/06/04/1", + "http://www.openwall.com/lists/oss-security/2025/06/04/6", + "https://github.com/advisories/GHSA-9hjg-9r4m-mvj7", + "https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef", + "https://github.com/psf/requests/pull/6965", + "https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7", + "https://pypi.org/project/requests/", + "https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env", + "https://seclists.org/fulldisclosure/2025/Jun/2" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00208, + "percentile": 0.43056 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 9643353, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 1, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643353?revisionScanId=106820047", + "vulnId": "CVE-2024-35195_pip+requests", + "title": "Always-Incorrect Control Flow Implementation", + "cve": "CVE-2024-35195", + "cvss": 5.6, + "severity": "medium", + "details": "Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.", + "remediation": { + "partialFix": "2.32.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Local" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "High" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "High" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-670" + ], + "published": "2024-05-20T20:15:00Z", + "affectedVersionRanges": [ + "<2.32.0" + ], + "patchedVersionRanges": [ + "2.32.0" + ], + "references": [ + "https://github.com/advisories/GHSA-9wx4-h78v-vm56", + "https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac", + "https://github.com/psf/requests/pull/6655", + "https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ", + "https://pypi.org/project/requests/" + ], + "cvssVector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00044, + "percentile": 0.13635 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 9643352, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+requests$2.27.1", + "name": "requests", + "url": "https://pypi.org/project/requests/", + "version": "2.27.1", + "packageManager": "pip" + }, + "depths": { + "direct": 1, + "deep": 0 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 1, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643352?revisionScanId=106820047", + "vulnId": "CVE-2023-32681_pip+requests", + "title": "Exposure of Sensitive Information to an Unauthorized Actor", + "cve": "CVE-2023-32681", + "cvss": 6.1, + "severity": "medium", + "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.", + "remediation": { + "partialFix": "2.31.0", + "partialFixDistance": "MINOR", + "completeFix": "2.33.0", + "completeFixDistance": "MINOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "Required" + }, + { + "name": "Scope", + "value": "Changed" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-200" + ], + "published": "2023-05-26T18:15:00Z", + "affectedVersionRanges": [ + ">=2.3.0,<2.31.0" + ], + "patchedVersionRanges": [ + "2.31.0" + ], + "references": [ + "https://github.com/advisories/GHSA-j8r2-6x86-q33q", + "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5", + "https://github.com/psf/requests/releases/tag/v2.31.0", + "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q", + "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/", + "https://pypi.org/project/requests/", + "https://security.gentoo.org/glsa/202309-08" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.06121, + "percentile": 0.90893 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 17096816, + "type": "vulnerability", + "createdAt": "2026-05-20T14:40:25.221Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 2, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2026-05-20T14:40:25.221+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/17096816?revisionScanId=106820047", + "vulnId": "CVE-2026-44431_pip+urllib3", + "title": "Exposure of Sensitive Information to an Unauthorized Actor", + "cve": "CVE-2026-44431", + "cvss": 8.2, + "severity": "high", + "details": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", + "remediation": { + "partialFix": "2.7.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "High" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-200", + "NVD-CWE-noinfo" + ], + "published": "2026-05-13T16:16:57Z", + "affectedVersionRanges": [ + ">=1.23,<2.7.0" + ], + "patchedVersionRanges": [], + "references": [ + "https://github.com/advisories/GHSA-qccp-gfcp-xxvc", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.0004, + "percentile": 0.12165 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14594289, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 2, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14594289?revisionScanId=106820047", + "vulnId": "CVE-2026-21441_pip+urllib3", + "title": "Improper Handling of Highly Compressed Data (Data Amplification)", + "cve": "CVE-2026-21441", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", + "remediation": { + "partialFix": "2.6.3", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-409" + ], + "published": "2026-01-07T22:15:44Z", + "affectedVersionRanges": [ + ">=1.22,<2.6.3" + ], + "patchedVersionRanges": [ + "2.6.3" + ], + "references": [ + "https://github.com/advisories/GHSA-38jv-5279-wg99", + "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99", + "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00032, + "percentile": 0.09194 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14169171, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 2, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169171?revisionScanId=106820047", + "vulnId": "CVE-2025-66418_pip+urllib3", + "title": "Allocation of Resources Without Limits or Throttling", + "cve": "CVE-2025-66418", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", + "remediation": { + "partialFix": "2.6.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-770" + ], + "published": "2025-12-05T16:15:51Z", + "affectedVersionRanges": [ + ">=1.24,<2.6.0" + ], + "patchedVersionRanges": [ + "2.6.0" + ], + "references": [ + "https://github.com/advisories/GHSA-gm62-xv2j-4w53", + "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00019, + "percentile": 0.05115 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 14169170, + "type": "vulnerability", + "createdAt": "2026-02-20T18:40:20.814Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 2, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2026-02-20T18:40:20.814+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169170?revisionScanId=106820047", + "vulnId": "CVE-2025-66471_pip+urllib3", + "title": "Improper Handling of Highly Compressed Data (Data Amplification)", + "cve": "CVE-2025-66471", + "cvss": 8.9, + "severity": "high", + "details": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", + "remediation": { + "partialFix": "2.6.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "Low" + }, + { + "name": "Attack Requirements", + "value": "Present" + }, + { + "name": "Privileges Required", + "value": "None" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Confidentiality Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Integrity Impact to the Vulnerable System", + "value": "None" + }, + { + "name": "Availability Impact to the Vulnerable System", + "value": "High" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-409" + ], + "published": "2025-12-05T17:16:04Z", + "affectedVersionRanges": [ + ">=1.0,<2.6.0" + ], + "patchedVersionRanges": [ + "2.6.0" + ], + "references": [ + "https://github.com/advisories/GHSA-2xpw-w6gg-jr37", + "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00017, + "percentile": 0.04227 + }, + "cpes": [], + "customRiskScore": null + }, + { + "id": 10198614, + "type": "vulnerability", + "createdAt": "2025-10-08T10:41:05.933Z", + "source": { + "id": "pip+urllib3$1.26.20", + "name": "urllib3", + "url": "https://pypi.org/project/urllib3/", + "version": "1.26.20", + "packageManager": "pip" + }, + "depths": { + "direct": 0, + "deep": 1 + }, + "containerLayers": { + "base": 0, + "other": 0 + }, + "statuses": { + "active": 1, + "ignored": 0 + }, + "projects": [ + { + "id": "custom+6060/DevTools-Validation-Pipeline", + "status": "active", + "depth": 2, + "title": "DevTools-Validation-Pipeline", + "scannedAt": "2026-05-21T17:48:13.555+00:00", + "analyzedAt": "2026-05-21T17:48:02.821Z", + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "firstFoundAt": "2025-10-08T10:41:05.933+00:00", + "defaultBranch": "refs/heads/test-fossa-scans", + "latest": false, + "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionScanId": 106820047 + } + ], + "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/10198614?revisionScanId=106820047", + "vulnId": "CVE-2025-50181_pip+urllib3", + "title": "URL Redirection to Untrusted Site ('Open Redirect')", + "cve": "CVE-2025-50181", + "cvss": 5.3, + "severity": "medium", + "details": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.", + "remediation": { + "partialFix": "2.5.0", + "partialFixDistance": "MAJOR", + "completeFix": "2.7.0", + "completeFixDistance": "MAJOR" + }, + "metrics": [ + { + "name": "Attack Vector", + "value": "Network" + }, + { + "name": "Attack Complexity", + "value": "High" + }, + { + "name": "Privileges Required", + "value": "Low" + }, + { + "name": "User Interaction", + "value": "None" + }, + { + "name": "Scope", + "value": "Unchanged" + }, + { + "name": "Confidentiality Impact", + "value": "High" + }, + { + "name": "Integrity Impact", + "value": "None" + }, + { + "name": "Availability Impact", + "value": "None" + } + ], + "cveStatus": "COMPLETED", + "cwes": [ + "CWE-601" + ], + "published": "2025-06-18T17:50:00Z", + "affectedVersionRanges": [ + "<2.5.0" + ], + "patchedVersionRanges": [ + "2.5.0" + ], + "references": [ + "https://github.com/advisories/GHSA-pq67-6m6q-mj2v", + "https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857", + "https://github.com/urllib3/urllib3/releases/tag/2.5.0", + "https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v", + "https://pypi.org/project/urllib3/" + ], + "cvssVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "exploitability": "UNKNOWN", + "epss": { + "score": 0.00079, + "percentile": 0.23201 + }, + "cpes": [], + "customRiskScore": null + } + ], + "licensing": [], + "quality": [] +} diff --git a/tests/fixtures/fossa/fossa-sbom-empty-deep.json b/tests/fixtures/fossa/fossa-sbom-empty-deep.json new file mode 100644 index 0000000..d0e69c9 --- /dev/null +++ b/tests/fixtures/fossa/fossa-sbom-empty-deep.json @@ -0,0 +1 @@ +{"copyrightsByLicense":{"MIT":["2013 Fatih Arslan","2016 Yasuhiro Matsumoto","Yasuhiro MATSUMOTO "]},"deepDependencies":[{"authors":["mattn","hymkor","koron","alecrabbit","dolmen","tklauser","ikedam","toshimaru","mislav","ncw","aviau","cenkalti","whereswaldon","secDre4mer","alexandear","radeksimko","segrey","magicshui","filimonov","naoyukis","rbtnn","tyru","uji"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable"],"description":"Cached by the Go Module Proxy at Wed, 29 Sep 2021 16:02:39 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-colorable/@v/v0.1.9.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2016 Yasuhiro Matsumoto\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-colorable","projectUrl":"http://godoc.org/github.com/mattn/go-colorable","source":"go","title":"github.com/mattn/go-colorable","version":"v0.1.9"},{"authors":["mattn","tklauser","thesyncim","dolmen","renovate[bot]","shogo82148","aeppert","grafov","carlosedp","mysqto","dkegel-fastly","dmgk","ddevault","Mischi","fatih","cookieY","lgonzalez-silen","mahdi-hm","marcauberer","martinlindhe","ncw","radeksimko","sthibaul","CaptainCodeman","tjni","stuartnelson3"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable > github.com/mattn/go-isatty","github.com/fatih/color > github.com/mattn/go-isatty"],"description":"Cached by the Go Module Proxy at Sun, 29 Aug 2021 14:41:14 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-isatty/@v/v0.0.14.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Yasuhiro MATSUMOTO \nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-isatty","projectUrl":"http://godoc.org/github.com/mattn/go-isatty","source":"go","title":"github.com/mattn/go-isatty","version":"v0.0.14"}],"directDependencies":[{"authors":["fatih","dependabot[bot]","gregpoirson","pellared","n10v","sashamelentyev","bl-ue","zddhub","ataypamart","pattmax00","qualidafial","martinlindhe","msabramo","rhysd","Tonkpils","klauspost","jeffwillette","hackebrot","sinan","tliron","morfu","mattn","majiayu000","UnSubble","ilyabrin","hyunsooda","hermanschaaf","DrKhyz","EdwardBetts","dmitris","cenkalti","moorereason","andrewaustin","deining","AlekSi","klaidliadon","ahmetb","achilleas-k"],"dependencyPaths":["github.com/fatih/color"],"description":"Color package for Go (golang)","downloadUrl":"https://proxy.golang.org/github.com/fatih/color/@v/v1.13.0.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2013 Fatih Arslan\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/fatih/color","projectUrl":"https://pkg.go.dev/github.com/fatih/color","source":"go","title":"github.com/fatih/color","version":"v1.13.0"}],"licenses":{"MIT":"MIT License\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE."},"project":{"name":"DevTools-Validation-Pipeline","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-windows"}} \ No newline at end of file diff --git a/tests/fixtures/fossa/fossa-sbom-populated.json b/tests/fixtures/fossa/fossa-sbom-populated.json new file mode 100644 index 0000000..3a2d4ec --- /dev/null +++ b/tests/fixtures/fossa/fossa-sbom-populated.json @@ -0,0 +1 @@ +{"copyrightsByLicense":{"Apache-2.0":["Amazon.com, Inc. or its affiliates. All Rights Reserved."," Amazon.com, Inc. or its affiliates. All Rights Reserved.","2015 Google Inc. All rights reserved."],"BSD-3-Clause":["2013-2023 Kim Davies and contributors.","2022 Intel Corporation","2023 Intel Corporation","2019 Google LLC","2024 Arm Limited and/or its affiliates ","2022-2023 Intel Corporation","2021 Serge Sans Paille","2010 Jonathan Hartley","2014 Bibek Kafle and Roland Shoemaker","2014 John MacFarlane","Individual contributors.","2015 The Go Authors. All rights reserved."," Individual contributors.","2005-2020 NumPy Developers."],"CC-BY-SA-4.0":[],"IETF":[],"MIT":["2020 Will McGugan"," Sindre Sorhus (sindresorhus.com)","2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2012-2013 Mitch Garnaat http://garnaat.org/","2012-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz.","2010-2020 Benjamin Peterson","2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)","2015-2016 Will Bond ","2012 Senko Rasic ","2008-2020 Andrey Petrov and contributors.","2019 TAHRI Ahmed R."],"MPL-2.0":["2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2019-2022 Pyodide contributors and Mozilla","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz."]},"deepDependencies":[{"authors":["me@kennethreitz.com"],"dependencyPaths":["requests > certifi"],"description":"Python package for providing Mozilla's CA Bundle.","downloadUrl":"https://files.pythonhosted.org/packages/d4/91/c89518dd4fe1f3a4e3f6ab7ff23cb00ef2e8c9adf99dacc618ad5e068e28/certifi-2023.11.17.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n","name":"MPL-2.0"}],"notes":[],"otherLicenses":[],"package":"certifi","projectUrl":"https://github.com/certifi/python-certifi","source":"pip","title":"certifi","version":"2023.11.17"},{"authors":["\"Ahmed R. TAHRI\" "],"dependencyPaths":["requests > charset-normalizer"],"description":"The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.","downloadUrl":"https://files.pythonhosted.org/packages/56/31/7bcaf657fafb3c6db8c787a865434290b726653c912085fbd371e9b92e1c/charset-normalizer-2.0.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"charset-normalizer","projectUrl":"https://pypi.org/project/charset-normalizer/","source":"pip","title":"charset-normalizer","version":"2.0.12"},{"authors":["Jonathan Hartley "],"dependencyPaths":["rich > colorama"],"description":"Cross-platform colored terminal text.","downloadUrl":"https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2010 Jonathan Hartley\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holders, nor those of its contributors\n may be used to endorse or promote products derived from this software without\n specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"colorama","projectUrl":"https://pypi.org/project/colorama/","source":"pip","title":"colorama","version":"0.4.6"},{"authors":["rolandshoemaker@gmail.com"],"dependencyPaths":["rich > commonmark"],"description":"commonmark.py\n=============\n\ncommonmark.py is a pure Python port of `jgm `__'s\n`commonmark.js `__, a\nMarkdown parser and renderer for the\n`CommonMark `__ specification, using only native\nmodules. Once both this project and the CommonMark specification are\nstable we will release the first ``1.0`` version and attempt to keep up\nto date with changes in ``commonmark.js``.\n\ncommonmark.py is tested against the CommonMark spec with Python versions\n2.7, 3.4, 3.5, 3.6, and 3.7.\n\n**Current version:** 0.9.1\n\n|Pypi Link| |Build Status| |Doc Link|\n\nInstallation\n------------\n\n::\n\n $ pip install commonmark\n\nUsage\n-----\n\n::\n\n >>> import commonmark\n >>> commonmark.commonmark('*hello!*')\n '

hello!

\\n'\n\nOr, without the syntactic sugar:\n\n.. code:: python\n\n import commonmark\n parser = commonmark.Parser()\n ast = parser.parse(\"Hello *World*\")\n\n renderer = commonmark.HtmlRenderer()\n html = renderer.render(ast)\n print(html) #

Hello World

\n\n # inspecting the abstract syntax tree\n json = commonmark.dumpJSON(ast)\n commonmark.dumpAST(ast) # pretty print generated AST structure\n\nThere is also a CLI:\n\n::\n\n $ cmark README.md -o README.html\n $ cmark README.md -o README.json -aj # output AST as JSON\n $ cmark README.md -a # pretty print generated AST structure\n $ cmark -h\n usage: cmark [-h] [-o [O]] [-a] [-aj] [infile]\n\n Process Markdown according to the CommonMark specification.\n\n positional arguments:\n infile Input Markdown file to parse, defaults to stdin\n\n optional arguments:\n -h, --help show this help message and exit\n -o [O] Output HTML/JSON file, defaults to stdout\n -a Print formatted AST\n -aj Output JSON AST\n\n\nContributing\n------------\n\nIf you would like to offer suggestions/optimizations/bugfixes through\npull requests please do! Also if you find an error in the\nparser/renderer that isn't caught by the current test suite please open\na new issue and I would also suggest you send the\n`commonmark.js `__ project\na pull request adding your test to the existing test suite.\n\nTests\n-----\n\nTo work on commonmark.py, you will need to be able to run the test suite to\nmake sure your changes don't break anything. To run the tests, you can do\nsomething like this:\n\n::\n\n $ pyvenv venv\n $ ./venv/bin/python setup.py develop test\n\nThe tests script, ``commonmark/tests/run_spec_tests.py``, is pretty much a devtool. As\nwell as running all the tests embedded in ``spec.txt`` it also allows you\nto run specific tests using the ``-t`` argument, provide information\nabout passed tests with ``-p``, percentage passed by category of test\nwith ``-s``, and enter markdown interactively with ``-i`` (In\ninteractive mode end a block by inputting a line with just ``end``, to\nquit do the same but with ``quit``). ``-d`` can be used to print call\ntracing.\n\n::\n\n $ ./venv/bin/python commonmark/tests/run_spec_tests.py -h\n usage: run_spec_tests.py [-h] [-t T] [-p] [-f] [-i] [-d] [-np] [-s]\n\n script to run the CommonMark specification tests against the commonmark.py\n parser.\n\n optional arguments:\n -h, --help show this help message and exit\n -t T Single test to run or comma separated list of tests (-t 10 or -t 10,11,12,13)\n -p Print passed test information\n -f Print failed tests (during -np...)\n -i Interactive Markdown input mode\n -d Debug, trace calls\n -np Only print section header, tick, or cross\n -s Print percent of tests passed by category\n\nAuthors\n-------\n\n- `Bibek Kafle `__\n- `Roland Shoemaker `__\n- `Nikolas Nyby `__\n\n.. |Pypi Link| image:: https://img.shields.io/pypi/v/commonmark.svg\n :target: https://pypi.org/project/commonmark/\n\n.. |Build Status| image:: https://travis-ci.org/rtfd/commonmark.py.svg?branch=master\n :target: https://travis-ci.org/rtfd/commonmark.py\n\n.. |Doc Link| image:: https://readthedocs.org/projects/commonmarkpy/badge/?version=latest\n :target: https://commonmarkpy.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n\n","downloadUrl":"https://files.pythonhosted.org/packages/60/48/a60f593447e8f0894ebb7f6e6c1f25dafc5e89c5879fdc9360ae93ff83f0/commonmark-0.9.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2014, Bibek Kafle and Roland Shoemaker\r\n\r\nBased on stmd.js: Copyright (c) 2014, John MacFarlane\r\n\r\nAll rights reserved.\r\n\r\nRedistribution and use in source and binary forms, with or without\r\nmodification, are permitted provided that the following conditions are met:\r\n\r\n * Redistributions of source code must retain the above copyright\r\n notice, this list of conditions and the following disclaimer.\r\n\r\n * Redistributions in binary form must reproduce the above\r\n copyright notice, this list of conditions and the following\r\n disclaimer in the documentation and/or other materials provided\r\n with the distribution.\r\n\r\n * Neither the names of Bibek Kafle, Roland Shoemaker nor the names of other\r\n contributors may be used to endorse or promote products derived\r\n from this software without specific prior written permission.\r\n\r\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\r\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\r\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\r\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\r\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\r\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\r\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\r\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\r\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\r\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\r\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[{"attribution":"Attribution-ShareAlike 4.0 International<>\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","name":"CC-BY-SA-4.0"}],"package":"commonmark","projectUrl":"https://github.com/rtfd/commonmark.py","source":"pip","title":"commonmark","version":"0.9.1"},{"authors":["Kim Davies "],"dependencyPaths":["requests > idna"],"description":"Internationalized Domain Names in Applications (IDNA)","downloadUrl":"https://files.pythonhosted.org/packages/bf/3f/ea4b9117521a1e9c50344b909be7886dd00a519552724809bb1f486986c2/idna-3.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"BSD 3-Clause License\n\nCopyright (c) 2013-2023, Kim Davies and contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its\n contributors may be used to endorse or promote products derived from\n this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"idna","projectUrl":"https://pypi.org/project/idna/","source":"pip","title":"idna","version":"3.6"},{"authors":["Andrey Petrov "],"dependencyPaths":["requests > urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/e4/e8/6ff5e6bc22095cfc59b6ea711b687e2b7ed4bdb373f7eeec370a97d7392f/urllib3-1.26.20.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"Copyright 2015 Google Inc. All rights reserved.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\nSee the License for the specific language governing permissions and limitations under the License.","name":"Apache-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"1.26.20"}],"directDependencies":[{"authors":["Amazon Web Services"],"dependencyPaths":["botocore"],"description":"Low-level, data-driven core of boto 3.","downloadUrl":"https://files.pythonhosted.org/packages/6d/a1/95ec376c2300e605225998619c46f7093c515710b9d6d65f891f126f32b6/botocore-1.43.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"Copyright (c) 2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"},{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"botocore","projectUrl":"https://github.com/boto/botocore","source":"pip","title":"botocore","version":"1.43.12"},{"authors":["The Python Cryptographic Authority and individual contributors "],"dependencyPaths":["cryptography"],"description":"cryptography is a package which provides cryptographic recipes and primitives to Python developers.","downloadUrl":"https://files.pythonhosted.org/packages/9f/a9/db8f313fdcd85d767d4973515e1db101f9c71f95fced83233de224673757/cryptography-48.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"},{"attribution":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","name":"IETF"}],"package":"cryptography","projectUrl":"https://pypi.org/project/cryptography/","source":"pip","title":"cryptography","version":"48.0.0"},{"authors":[],"dependencyPaths":["numpy"],"description":null,"downloadUrl":"https://files.pythonhosted.org/packages/d0/ad/fed0499ce6a338d2a03ebae59cd15093910c8875328855781952abf6c2fe/numpy-2.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2005-2020, NumPy Developers.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n * Redistributions in binary form must reproduce the above\n copyright notice, this list of conditions and the following\n disclaimer in the documentation and/or other materials provided\n with the distribution.\n\n * Neither the name of the NumPy Developers nor the names of any\n contributors may be used to endorse or promote products derived\n from this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"numpy","projectUrl":null,"source":"pip","title":"numpy","version":"2.4.6"},{"authors":["Kenneth Reitz "],"dependencyPaths":["requests"],"description":"Python HTTP for Humans.","downloadUrl":"https://files.pythonhosted.org/packages/60/f3/26ff3767f099b73e0efa138a9998da67890793bfa475d8278f84a30fec77/requests-2.27.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[],"package":"requests","projectUrl":"https://pypi.org/project/requests/","source":"pip","title":"requests","version":"2.27.1"},{"authors":["willmcgugan@gmail.com"],"dependencyPaths":["rich"],"description":"Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal","downloadUrl":"https://files.pythonhosted.org/packages/eb/be/bd5d6c37f5de55f31cb9432e0d926ceeab1b2ee774bd696557b53bc15012/rich-11.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2020 Will McGugan\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"rich","projectUrl":"https://pypi.org/project/rich/","source":"pip","title":"rich","version":"11.0.0"},{"authors":["Andrey Petrov "],"dependencyPaths":["urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"2.7.0"}],"licenses":{"Apache-2.0":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","BSD-3-Clause":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","CC-BY-SA-4.0":"Creative Commons Attribution-ShareAlike 4.0 International Creative Commons Corporation (\"Creative Commons\") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an \"as-is\" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" The text of the Creative Commons public licenses is dedicated to the public domain under the CC0 Public Domain Dedication. Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","IETF":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","MIT":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","MPL-2.0":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n"},"project":{"name":"DevTools-Validation-Pipeline","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux"}} diff --git a/tests/unit/test_fossa_parity.py b/tests/unit/test_fossa_parity.py new file mode 100644 index 0000000..c74c3c5 --- /dev/null +++ b/tests/unit/test_fossa_parity.py @@ -0,0 +1,47 @@ +"""Structural parity tests: assert our FOSSA-shaped output matches real FOSSA artifact shapes. + +These tests load real FOSSA artifacts captured from a customer pipeline and compare them +against our --legal-format fossa output by shape (key sets + value types), not by value. +A value-level golden test would be too brittle; the goal is to catch structural drift. +""" +from __future__ import annotations + +import json +from pathlib import Path + +FIXTURE_DIR = Path(__file__).parent.parent / "fixtures" / "fossa" + + +def _load(name: str) -> dict: + return json.loads((FIXTURE_DIR / name).read_text()) + + +def test_fixtures_present_and_parseable(): + """Sanity: all four FOSSA reference fixtures load as JSON objects.""" + for name in ( + "fossa-analyze-populated.json", + "fossa-analyze-empty.json", + "fossa-sbom-populated.json", + "fossa-sbom-empty-deep.json", + ): + data = _load(name) + assert isinstance(data, dict), f"{name} should be a JSON object at the top level" + + +def test_analyze_fixture_top_level_shape(): + """The real FOSSA analyze artifact has exactly these top-level keys.""" + data = _load("fossa-analyze-populated.json") + assert set(data.keys()) == {"project", "vulnerability", "licensing", "quality"} + assert "risk" not in data # FOSSA API 400s on risk category; key never appears + + +def test_sbom_fixture_top_level_shape(): + """The real FOSSA attribution artifact has exactly these 5 top-level keys.""" + data = _load("fossa-sbom-populated.json") + assert set(data.keys()) == { + "copyrightsByLicense", + "deepDependencies", + "directDependencies", + "licenses", + "project", + } From 2d5f84b2381fa73bee19284ad721fe2b2e79dc57 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:27:40 -0700 Subject: [PATCH 18/33] fix: emit fossa project.id as \$ Real FOSSA artifacts use \$ as the revision separator in project.id, not \-. Update _build_project_metadata and add two tests that pin the correct separator and fallback behaviour. --- socketsecurity/fossa_compat.py | 5 ++--- tests/unit/test_fossa_compat.py | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index 4708096..bb0a25f 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -45,12 +45,11 @@ def _build_project_metadata(diff_report: Diff, config: CliConfig) -> dict[str, A branch = getattr(config, "branch", None) or "socket-default-branch" revision = getattr(diff_report, "id", None) or getattr(diff_report, "new_scan_id", None) or "unknown-revision" report_url = getattr(diff_report, "report_url", None) or getattr(diff_report, "diff_url", None) - project_id = repo return { "branch": branch, - "id": f"{project_id}-{revision}", + "id": f"{repo}${revision}", "project": repo, - "projectId": project_id, + "projectId": repo, "revision": revision, "url": report_url, } diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 4e0b7c2..83e08b5 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -144,6 +144,38 @@ def test_fossa_report_payload_vulnerability_shape_is_stable(): assert generated_vulnerability["cve"] == "CVE-2024-47081" +def test_project_metadata_uses_dollar_revision_separator(): + """The composed FOSSA `project.id` is `$`.""" + from socketsecurity.fossa_compat import _build_project_metadata + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets", "--branch", "refs/heads/main"]) + diff = Diff(id="scan-abc123", report_url="https://socket.dev/x") + project = _build_project_metadata(diff, config) + assert project == { + "branch": "refs/heads/main", + "id": "acme/widgets$scan-abc123", + "project": "acme/widgets", + "projectId": "acme/widgets", + "revision": "scan-abc123", + "url": "https://socket.dev/x", + } + + +def test_project_metadata_fallbacks_when_missing_fields(): + """Falls back to literal placeholders when config/diff are sparse.""" + from socketsecurity.fossa_compat import _build_project_metadata + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + # Force absent repo/branch: + config.repo = None + config.branch = None + diff = Diff() + project = _build_project_metadata(diff, config) + assert project["branch"] == "socket-default-branch" + assert project["project"] == "socket-default-repo" + assert project["revision"] == "unknown-revision" + assert project["id"] == "socket-default-repo$unknown-revision" + assert project["url"] is None + + def test_fossa_attribution_payload_shape_is_stable(): config = CliConfig.from_args([ "--api-token", "test", From dd935ed3e095ff14bc7454430f94788fd48afef4 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:29:47 -0700 Subject: [PATCH 19/33] test: lock fossa analyze top-level keyset invariants --- tests/unit/test_fossa_compat.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 83e08b5..89ea178 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -217,3 +217,21 @@ def test_fossa_attribution_payload_shape_is_stable(): "licenseDetails": [{"id": "Apache-2.0"}], "licenseAttrib": [{"id": "Apache-2.0"}], }] + + +def test_analyze_payload_top_level_keys_exactly_four(): + """The composed FOSSA analyze artifact has exactly project/vulnerability/licensing/quality.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + diff = Diff() # empty alerts + payload = build_fossa_report_payload(diff, config) + assert set(payload.keys()) == {"project", "vulnerability", "licensing", "quality"} + assert "risk" not in payload + + +def test_analyze_payload_empty_diff_yields_empty_arrays(): + """An empty diff still emits all 4 keys with `[]` arrays.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_report_payload(Diff(), config) + assert payload["vulnerability"] == [] + assert payload["licensing"] == [] + assert payload["quality"] == [] From ab3bac0e0f5419e464c2f804b696cf357b3c827f Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:31:33 -0700 Subject: [PATCH 20/33] fix: source vulnerability version ranges from Socket field names --- socketsecurity/fossa_compat.py | 27 +++++++++++++------------ tests/unit/test_fossa_compat.py | 36 +++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 13 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index bb0a25f..5dc877e 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -132,26 +132,19 @@ def _extract_string_list(*values: Any) -> list[str]: def _build_remediation(props: dict[str, Any]) -> dict[str, Any]: - partial_fix = _first_non_empty( + fix = _first_non_empty( + props.get("firstPatchedVersionIdentifier"), props.get("partialFix"), - props.get("fixedVersion"), - props.get("fixed_version"), - props.get("patchedVersion"), - props.get("patched_version"), - props.get("range"), - ) - complete_fix = _first_non_empty( props.get("completeFix"), props.get("fixedVersion"), props.get("fixed_version"), props.get("patchedVersion"), props.get("patched_version"), - props.get("range"), ) return { - "partialFix": partial_fix, + "partialFix": fix, "partialFixDistance": props.get("partialFixDistance"), - "completeFix": complete_fix, + "completeFix": fix, "completeFixDistance": props.get("completeFixDistance"), } @@ -230,8 +223,16 @@ def _build_vulnerability_entry( "cveStatus": props.get("cveStatus"), "cwes": _extract_string_list(props.get("cwes"), props.get("cwe")), "published": props.get("published"), - "affectedVersionRanges": _extract_string_list(props.get("affectedVersionRanges"), props.get("affected_versions")), - "patchedVersionRanges": _extract_string_list(props.get("patchedVersionRanges"), props.get("patched_versions")), + "affectedVersionRanges": _extract_string_list( + props.get("affectedVersionRanges"), + props.get("vulnerableVersionRange"), + props.get("affected_versions"), + ), + "patchedVersionRanges": _extract_string_list( + props.get("patchedVersionRanges"), + props.get("firstPatchedVersionIdentifier"), + props.get("patched_versions"), + ), "references": _extract_references(issue, props), "cvssVector": props.get("cvssVector"), "exploitability": props.get("exploitability"), diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 89ea178..5f58275 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -235,3 +235,39 @@ def test_analyze_payload_empty_diff_yields_empty_arrays(): assert payload["vulnerability"] == [] assert payload["licensing"] == [] assert payload["quality"] == [] + + +def test_vulnerability_version_ranges_sourced_from_socket_fields(): + """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped.""" + from socketsecurity.fossa_compat import _build_vulnerability_entry + issue = Issue( + type="criticalCVE", + severity="high", + key="CVE-2024-12345_pip+requests", + pkg_type="pypi", + pkg_name="requests", + pkg_version="2.30.0", + props={ + "ghsaId": "GHSA-aaaa-bbbb-cccc", + "cveId": "CVE-2024-12345", + "cvss": 7.5, + "vulnerableVersionRange": ">=2.0.0,<2.31.1", + "firstPatchedVersionIdentifier": "2.31.1", + "cwes": ["CWE-200"], + }, + ) + package = Package( + type="pypi", + name="requests", + version="2.30.0", + id="pip+requests$2.30.0", + score={}, + alerts=[], + direct=True, + ) + project = {"branch": "main", "id": "acme$x", "project": "acme", "projectId": "acme", "revision": "x", "url": "u"} + entry = _build_vulnerability_entry(issue, package, project, index=1) + assert entry["affectedVersionRanges"] == [">=2.0.0,<2.31.1"] + assert entry["patchedVersionRanges"] == ["2.31.1"] + assert entry["remediation"]["partialFix"] == "2.31.1" + assert entry["remediation"]["completeFix"] == "2.31.1" From b546f07e5968745432404ed78aaa92dcc8e5275c Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:35:07 -0700 Subject: [PATCH 21/33] fix: emit consistent defaults for FOSSA fields with no Socket source Adds customRiskScore: None to vulnerability entries (FOSSA samples include this field, sometimes null). Documents all gap fields and their defaults in the module docstring. Locks the new key in EXPECTED_VULNERABILITY_KEYS. --- socketsecurity/fossa_compat.py | 34 +++++++++++++++++++++++++++ tests/unit/test_fossa_compat.py | 41 +++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index 5dc877e..5ac940f 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -1,3 +1,36 @@ +"""FOSSA-compat output shaping for `--legal-format fossa`. + +Builds two artifacts whose top-level shapes mirror real FOSSA pipeline outputs: + + fossa-analyze.json — wrapper of {project, vulnerability, licensing, quality}, + where `project` is the raw `fossa analyze --json` shape and + the three arrays are FOSSA /api/v2/issues-shaped items. + fossa-sbom.json — `fossa report --json attribution` shape: 5 top-level keys + (copyrightsByLicense, deepDependencies, directDependencies, + licenses, project). + +Fields without a Socket data source are emitted as documented defaults: + + vulnerability[]: + epss -> {score: None, percentile: None} + cvssVector -> None + exploitability -> None + cveStatus -> None + published -> None + containerLayers -> {base: 0, other: 0} + customRiskScore -> None + remediation.partialFixDistance, completeFixDistance -> None (semver-distance TBD) + projects[].scannedAt, analyzedAt, firstFoundAt -> None + + dependencies[] (SBOM): + description, downloadUrl, projectUrl -> "" + hash, isGolang -> None (always null in real FOSSA samples) + notes -> [] + + Top-level SBOM: + copyrightsByLicense -> {} (would require parsing attribText for `Copyright (c)` lines) + licenses -> {} (would require bundling SPDX license body texts) +""" from __future__ import annotations from typing import Any, Iterable, Optional @@ -238,6 +271,7 @@ def _build_vulnerability_entry( "exploitability": props.get("exploitability"), "epss": _build_epss(props), "cpes": _extract_string_list(props.get("cpes")), + "customRiskScore": None, } diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 5f58275..2c48e0d 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -13,6 +13,7 @@ "containerLayers", "cpes", "createdAt", + "customRiskScore", "cve", "cveStatus", "cwes", @@ -237,6 +238,46 @@ def test_analyze_payload_empty_diff_yields_empty_arrays(): assert payload["quality"] == [] +def test_vulnerability_gap_fields_emit_known_defaults(): + """Fields with no Socket data source emit documented null/empty defaults.""" + from socketsecurity.fossa_compat import _build_vulnerability_entry + issue = Issue( + type="criticalCVE", + severity="high", + key="x", + pkg_type="pypi", + pkg_name="x", + pkg_version="1.0", + props={}, + ) + package = Package( + type="pypi", + name="x", + version="1.0", + id="pip+x$1.0", + score={}, + alerts=[], + direct=True, + ) + project = {"branch": "m", "id": "a$x", "project": "a", "projectId": "a", "revision": "x", "url": "u"} + entry = _build_vulnerability_entry(issue, package, project, index=1) + # Documented gap fields: + assert entry["epss"] == {"score": None, "percentile": None} + assert entry["cvssVector"] is None + assert entry["exploitability"] is None + assert entry["cveStatus"] is None + assert entry["published"] is None + assert entry["containerLayers"] == {"base": 0, "other": 0} + assert entry["remediation"]["partialFixDistance"] is None + assert entry["remediation"]["completeFixDistance"] is None + assert "customRiskScore" in entry + assert entry["customRiskScore"] is None + proj_entry = entry["projects"][0] + assert proj_entry["scannedAt"] is None + assert proj_entry["analyzedAt"] is None + assert proj_entry["firstFoundAt"] is None + + def test_vulnerability_version_ranges_sourced_from_socket_fields(): """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped.""" from socketsecurity.fossa_compat import _build_vulnerability_entry From 0fc70ab2404ed0cb53c364bec984b0e8b3598584 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:36:38 -0700 Subject: [PATCH 22/33] feat: reshape fossa-sbom.json to 5-key attribution top-level Replaces the 2-key {project, dependencies} shape with the real FOSSA attribution shape: copyrightsByLicense, deepDependencies, directDependencies, licenses, project. The SBOM project field is now the 2-key {name, revision} subset rather than the 6-key analyze project shape. _partition_dependencies is a stub returning ([], []) until Tasks 7-9 fill in per-dependency entries. --- socketsecurity/fossa_compat.py | 42 +++++++++++++++++---------------- tests/unit/test_fossa_compat.py | 30 +++++++++++++++++++++++ 2 files changed, 52 insertions(+), 20 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index 5ac940f..8fb44c2 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -362,26 +362,28 @@ def build_fossa_report_payload(diff_report: Diff, config: CliConfig) -> dict[str } -def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: - project = _build_project_metadata(diff_report, config) - packages = getattr(diff_report, "packages", {}) or {} - package_entries = [] - - for package in packages.values(): - package_entries.append({ - "id": package.id, - "name": package.name, - "version": package.version, - "ecosystem": _ecosystem_to_package_manager(package.type), - "direct": bool(getattr(package, "direct", False)), - "url": package.url, - "purl": package.purl, - "declaredLicense": package.license, - "licenseDetails": package.licenseDetails or [], - "licenseAttrib": package.licenseAttrib or [], - }) +def _build_attribution_project(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + repo = getattr(config, "repo", None) or "socket-default-repo" + revision = ( + getattr(diff_report, "id", None) + or getattr(diff_report, "new_scan_id", None) + or "unknown-revision" + ) + return {"name": repo, "revision": revision} + +def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]: + """Stub: filled in by Tasks 7-9. Returns (direct, deep) lists of Dependency dicts.""" + return ([], []) + + +def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: + packages = list((getattr(diff_report, "packages", {}) or {}).values()) + direct, deep = _partition_dependencies(packages) return { - "project": project, - "dependencies": package_entries, + "copyrightsByLicense": {}, + "deepDependencies": deep, + "directDependencies": direct, + "licenses": {}, + "project": _build_attribution_project(diff_report, config), } diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 2c48e0d..38390d0 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -278,6 +278,36 @@ def test_vulnerability_gap_fields_emit_known_defaults(): assert proj_entry["firstFoundAt"] is None +def test_attribution_payload_top_level_is_5_keys(): + """fossa-sbom.json has exactly the 5 keys from `fossa report --json attribution`.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(Diff(), config) + assert set(payload.keys()) == { + "copyrightsByLicense", + "deepDependencies", + "directDependencies", + "licenses", + "project", + } + + +def test_attribution_project_has_only_name_and_revision(): + """SBOM `project` is the 2-key subset, not the 6-key analyze project.""" + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa", "--repo", "acme/widgets"]) + diff = Diff(id="rev-x") + payload = build_fossa_attribution_payload(diff, config) + assert payload["project"] == {"name": "acme/widgets", "revision": "rev-x"} + + +def test_attribution_empty_diff_yields_empty_collections(): + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(Diff(), config) + assert payload["copyrightsByLicense"] == {} + assert payload["licenses"] == {} + assert payload["directDependencies"] == [] + assert payload["deepDependencies"] == [] + + def test_vulnerability_version_ranges_sourced_from_socket_fields(): """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped.""" from socketsecurity.fossa_compat import _build_vulnerability_entry From 4a43cc24095dfb6793a3a0d76aada422d88777e9 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:39:57 -0700 Subject: [PATCH 23/33] feat: build FOSSA-shape Dependency entries with attribution text Add _build_dependency_entry and _build_dependency_licenses to produce the 14-key per-dependency dict that matches real FOSSA attribution output. License entries prefer licenseAttrib (full attribText + spdxExpr), fall back to declared license string, or emit [] when unlicensed. Also removes the stale test_fossa_attribution_payload_shape_is_stable test, which asserted the pre-Task-6 two-key shape and was already failing. --- socketsecurity/fossa_compat.py | 42 +++++++++++++++ tests/unit/test_fossa_compat.py | 95 ++++++++++++++++++++------------- 2 files changed, 99 insertions(+), 38 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index 8fb44c2..eb28c6e 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -372,6 +372,48 @@ def _build_attribution_project(diff_report: Diff, config: CliConfig) -> dict[str return {"name": repo, "revision": revision} +def _build_dependency_licenses(package: Package) -> list[dict[str, str]]: + """Build the `licenses[]` array: prefer licenseAttrib entries (full attribution text), + fall back to a single name-only entry from declared license, else empty. + """ + attribs = getattr(package, "licenseAttrib", None) or [] + licenses = [] + for attrib in attribs: + attrib_text = attrib.get("attribText", "") if isinstance(attrib, dict) else getattr(attrib, "attribText", "") + attrib_data = attrib.get("attribData", []) if isinstance(attrib, dict) else getattr(attrib, "attribData", []) + spdx = "" + if attrib_data: + first = attrib_data[0] + spdx = first.get("spdxExpr", "") if isinstance(first, dict) else getattr(first, "spdxExpr", "") + if attrib_text or spdx: + licenses.append({"attribution": attrib_text or "", "name": spdx or getattr(package, "license", "") or ""}) + if licenses: + return licenses + declared = getattr(package, "license", None) + if declared: + return [{"attribution": "", "name": declared}] + return [] + + +def _build_dependency_entry(package: Package, dependency_paths: list[str]) -> dict[str, Any]: + return { + "authors": list(getattr(package, "author", []) or []), + "dependencyPaths": list(dependency_paths), + "description": "", + "downloadUrl": "", + "hash": None, + "isGolang": None, + "licenses": _build_dependency_licenses(package), + "notes": [], + "otherLicenses": [], + "package": package.name, + "projectUrl": "", + "source": _ecosystem_to_package_manager(package.type), + "title": package.name, + "version": package.version, + } + + def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]: """Stub: filled in by Tasks 7-9. Returns (direct, deep) lists of Dependency dicts.""" return ([], []) diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 38390d0..751cb7f 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -177,47 +177,66 @@ def test_project_metadata_fallbacks_when_missing_fields(): assert project["url"] is None -def test_fossa_attribution_payload_shape_is_stable(): - config = CliConfig.from_args([ - "--api-token", "test", - "--legal-format", "fossa", - "--repo", "owner/repo", - "--branch", "refs/heads/main", - ]) - diff = Diff(id="scan-123", report_url="https://socket.dev/report/123") - diff.packages = { - "pkg-1": Package( - id="pkg-1", - name="requests", - version="2.31.0", - type="pypi", - score={}, - alerts=[], - direct=True, - url="https://socket.dev/pypi/package/requests/overview/2.31.0", - license="Apache-2.0", - licenseDetails=[{"id": "Apache-2.0"}], - licenseAttrib=[{"id": "Apache-2.0"}], - purl="pkg:pypi/requests@2.31.0", - ) +def test_dependency_entry_full_shape(): + """Per-dependency dict has the exact 14-key FOSSA attribution shape.""" + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", + name="requests", + version="2.31.0", + id="pip+requests$2.31.0", + score={}, + alerts=[], + direct=True, + author=["Kenneth Reitz "], + license="Apache-2.0", + licenseAttrib=[{"attribText": "Apache License 2.0\n\nCopyright 2023 Kenneth Reitz", + "attribData": [{"spdxExpr": "Apache-2.0"}]}], + ) + entry = _build_dependency_entry(package, dependency_paths=["requests"]) + assert set(entry.keys()) == { + "authors", "dependencyPaths", "description", "downloadUrl", "hash", + "isGolang", "licenses", "notes", "otherLicenses", "package", + "projectUrl", "source", "title", "version", } + assert entry["authors"] == ["Kenneth Reitz "] + assert entry["dependencyPaths"] == ["requests"] + assert entry["description"] == "" + assert entry["downloadUrl"] == "" + assert entry["hash"] is None + assert entry["isGolang"] is None + assert entry["licenses"] == [{ + "attribution": "Apache License 2.0\n\nCopyright 2023 Kenneth Reitz", + "name": "Apache-2.0", + }] + assert entry["notes"] == [] + assert entry["otherLicenses"] == [] + assert entry["package"] == "requests" + assert entry["projectUrl"] == "" + assert entry["source"] == "pip" + assert entry["title"] == "requests" + assert entry["version"] == "2.31.0" + + +def test_dependency_entry_falls_back_to_declared_license_when_no_attrib(): + """When licenseAttrib is empty, `licenses[]` falls back to a single name-only entry from Package.license.""" + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", name="x", version="1.0", id="pip+x$1.0", + score={}, alerts=[], license="MIT", + ) + entry = _build_dependency_entry(package, dependency_paths=["x"]) + assert entry["licenses"] == [{"attribution": "", "name": "MIT"}] - payload = build_fossa_attribution_payload(diff, config) - assert sorted(payload.keys()) == ["dependencies", "project"] - assert sorted(payload["project"].keys()) == sorted(EXPECTED_PROJECT_KEYS) - assert payload["dependencies"] == [{ - "id": "pkg-1", - "name": "requests", - "version": "2.31.0", - "ecosystem": "pip", - "direct": True, - "url": "https://socket.dev/pypi/package/requests/overview/2.31.0", - "purl": "pkg:pypi/requests@2.31.0", - "declaredLicense": "Apache-2.0", - "licenseDetails": [{"id": "Apache-2.0"}], - "licenseAttrib": [{"id": "Apache-2.0"}], - }] +def test_dependency_entry_unlicensed_package_emits_empty_licenses(): + from socketsecurity.fossa_compat import _build_dependency_entry + package = Package( + type="pypi", name="x", version="1.0", id="pip+x$1.0", + score={}, alerts=[], license=None, + ) + entry = _build_dependency_entry(package, dependency_paths=["x"]) + assert entry["licenses"] == [] def test_analyze_payload_top_level_keys_exactly_four(): From 0f7e8b0b39cb1e49581463d95ae1927e90613741 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:42:20 -0700 Subject: [PATCH 24/33] feat: partition SBOM dependencies into direct and deep --- socketsecurity/fossa_compat.py | 18 ++++++++++++++++-- tests/unit/test_fossa_compat.py | 22 ++++++++++++++++++++++ 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index eb28c6e..8bf137f 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -414,9 +414,23 @@ def _build_dependency_entry(package: Package, dependency_paths: list[str]) -> di } +def _compute_dependency_paths(package: Package, package_lookup: dict[str, Package]) -> list[str]: + """Stub: filled in by Task 9. For now: package name only.""" + return [package.name] + + def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]: - """Stub: filled in by Tasks 7-9. Returns (direct, deep) lists of Dependency dicts.""" - return ([], []) + direct: list[dict[str, Any]] = [] + deep: list[dict[str, Any]] = [] + package_lookup = {getattr(p, "id", None): p for p in packages if getattr(p, "id", None)} + for package in packages: + paths = _compute_dependency_paths(package, package_lookup) + entry = _build_dependency_entry(package, paths) + if bool(getattr(package, "direct", False)): + direct.append(entry) + else: + deep.append(entry) + return direct, deep def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]: diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 751cb7f..98cf64a 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -327,6 +327,28 @@ def test_attribution_empty_diff_yields_empty_collections(): assert payload["deepDependencies"] == [] +def test_attribution_partitions_direct_vs_deep(): + pkg_a = Package( + type="pypi", name="a", version="1.0", id="pip+a$1.0", + score={}, alerts=[], direct=True, + ) + pkg_b = Package( + type="pypi", name="b", version="1.0", id="pip+b$1.0", + score={}, alerts=[], direct=False, + ) + pkg_c = Package( + type="pypi", name="c", version="1.0", id="pip+c$1.0", + score={}, alerts=[], direct=True, + ) + diff = Diff(packages={"id-a": pkg_a, "id-b": pkg_b, "id-c": pkg_c}) + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload = build_fossa_attribution_payload(diff, config) + direct_names = sorted(d["package"] for d in payload["directDependencies"]) + deep_names = sorted(d["package"] for d in payload["deepDependencies"]) + assert direct_names == ["a", "c"] + assert deep_names == ["b"] + + def test_vulnerability_version_ranges_sourced_from_socket_fields(): """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped.""" from socketsecurity.fossa_compat import _build_vulnerability_entry From b643f539c2842bad0e570a4facc19c11bb3a6fbb Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:43:57 -0700 Subject: [PATCH 25/33] feat: compute SBOM dependencyPaths from topLevelAncestors Replaces the stub that always returned [package.name] with real logic: direct deps emit just their name; transitive deps emit one " > " chain per top-level ancestor, falling back to name-only when ancestors are absent or not in the lookup. --- socketsecurity/fossa_compat.py | 13 ++++++-- tests/unit/test_fossa_compat.py | 53 +++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 2 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index 8bf137f..b8938bc 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -415,8 +415,17 @@ def _build_dependency_entry(package: Package, dependency_paths: list[str]) -> di def _compute_dependency_paths(package: Package, package_lookup: dict[str, Package]) -> list[str]: - """Stub: filled in by Task 9. For now: package name only.""" - return [package.name] + if bool(getattr(package, "direct", False)): + return [package.name] + ancestors = getattr(package, "topLevelAncestors", None) or [] + paths = [] + for ancestor_id in ancestors: + ancestor = package_lookup.get(ancestor_id) + if ancestor and getattr(ancestor, "name", None): + paths.append(f"{ancestor.name} > {package.name}") + if not paths: + return [package.name] + return paths def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]: diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index 98cf64a..c1c18e2 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -349,6 +349,59 @@ def test_attribution_partitions_direct_vs_deep(): assert deep_names == ["b"] +def test_dependency_paths_direct_package_is_name_only(): + from socketsecurity.fossa_compat import _compute_dependency_paths + pkg = Package( + type="pypi", name="requests", version="2.31.0", + id="pip+requests$2.31.0", score={}, alerts=[], direct=True, + ) + paths = _compute_dependency_paths(pkg, {"pip+requests$2.31.0": pkg}) + assert paths == ["requests"] + + +def test_dependency_paths_transitive_chains_through_ancestor_name(): + from socketsecurity.fossa_compat import _compute_dependency_paths + parent = Package( + type="pypi", name="requests", version="2.31.0", + id="parent-id", score={}, alerts=[], direct=True, + ) + child = Package( + type="pypi", name="certifi", version="2024.7.4", + id="child-id", score={}, alerts=[], direct=False, + topLevelAncestors=["parent-id"], + ) + lookup = {"parent-id": parent, "child-id": child} + assert _compute_dependency_paths(child, lookup) == ["requests > certifi"] + + +def test_dependency_paths_multi_ancestor_emits_one_per_root(): + from socketsecurity.fossa_compat import _compute_dependency_paths + p1 = Package(type="pypi", name="boto3", version="1.0", id="p1", + score={}, alerts=[], direct=True) + p2 = Package(type="pypi", name="botocore", version="1.0", id="p2", + score={}, alerts=[], direct=True) + child = Package( + type="pypi", name="jmespath", version="1.0", id="c", + score={}, alerts=[], direct=False, + topLevelAncestors=["p1", "p2"], + ) + lookup = {"p1": p1, "p2": p2, "c": child} + assert sorted(_compute_dependency_paths(child, lookup)) == [ + "boto3 > jmespath", + "botocore > jmespath", + ] + + +def test_dependency_paths_missing_ancestor_falls_back_to_name(): + from socketsecurity.fossa_compat import _compute_dependency_paths + pkg = Package( + type="pypi", name="orphan", version="1.0", id="o", + score={}, alerts=[], direct=False, + topLevelAncestors=["missing-id"], + ) + assert _compute_dependency_paths(pkg, {"o": pkg}) == ["orphan"] + + def test_vulnerability_version_ranges_sourced_from_socket_fields(): """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped.""" from socketsecurity.fossa_compat import _build_vulnerability_entry From f871cbf40d2ca9907e659076b17fc7757cc554d7 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:45:52 -0700 Subject: [PATCH 26/33] fix: write fossa-sbom.json with indent=2 for consistency --- socketsecurity/socketcli.py | 6 +++++- tests/unit/test_socketcli.py | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index 86f5ff8..e83b994 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -58,6 +58,10 @@ def build_license_artifact_payload( all_packages[package.id] = output return all_packages +def _write_attribution_file(config, payload: dict) -> None: + Core.save_file(config.license_file_name, json.dumps(payload, indent=2)) + + def cli(): try: main_code() @@ -780,7 +784,7 @@ def _is_unprocessed(c): legal_format=getattr(config, "legal_format", "socket"), config=config, ) - core.save_file(config.license_file_name, json.dumps(all_packages)) + _write_attribution_file(config, all_packages) # If we forced API mode due to no supported files, behave as if --disable-blocking was set if force_api_mode: diff --git a/tests/unit/test_socketcli.py b/tests/unit/test_socketcli.py index 67d7114..c46c4d8 100644 --- a/tests/unit/test_socketcli.py +++ b/tests/unit/test_socketcli.py @@ -69,6 +69,27 @@ class Config: } +def test_fossa_attribution_file_is_written_indented(tmp_path): + """fossa-sbom.json should be written with indent=2, matching fossa-analyze.json.""" + import json + from socketsecurity import socketcli + from types import SimpleNamespace + + target = tmp_path / "fossa-sbom.json" + config = SimpleNamespace(license_file_name=str(target)) + payload = { + "copyrightsByLicense": {}, + "deepDependencies": [], + "directDependencies": [], + "licenses": {}, + "project": {"name": "x", "revision": "y"}, + } + socketcli._write_attribution_file(config, payload) + content = target.read_text() + assert "\n " in content, f"Expected indented JSON, got: {content!r}" + assert json.loads(content) == payload + + def test_build_license_artifact_payload_fossa_format_serializes_dependencies(): class Config: repo = "owner/repo" From 950c2c4bbc915b76d7298bd1b0def6ce55cb357e Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:47:52 -0700 Subject: [PATCH 27/33] test: assert structural parity against real FOSSA fixtures --- tests/unit/test_fossa_parity.py | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/tests/unit/test_fossa_parity.py b/tests/unit/test_fossa_parity.py index c74c3c5..5e0baea 100644 --- a/tests/unit/test_fossa_parity.py +++ b/tests/unit/test_fossa_parity.py @@ -45,3 +45,62 @@ def test_sbom_fixture_top_level_shape(): "licenses", "project", } + + +def test_our_analyze_matches_fossa_analyze_top_level_keys(): + """Our build_fossa_report_payload top-level keyset matches the real fixture.""" + from socketsecurity.fossa_compat import build_fossa_report_payload + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_report_payload(Diff(), config) + theirs = _load("fossa-analyze-empty.json") + assert set(ours.keys()) == set(theirs.keys()) + + +def test_our_analyze_project_keys_match(): + from socketsecurity.fossa_compat import build_fossa_report_payload + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_report_payload(Diff(), config) + theirs = _load("fossa-analyze-empty.json") + assert set(ours["project"].keys()) == set(theirs["project"].keys()) + + +def test_our_sbom_matches_fossa_sbom_top_level_keys(): + from socketsecurity.fossa_compat import build_fossa_attribution_payload + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(Diff(), config) + theirs = _load("fossa-sbom-populated.json") + assert set(ours.keys()) == set(theirs.keys()) + + +def test_our_sbom_project_keys_match(): + from socketsecurity.fossa_compat import build_fossa_attribution_payload + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(Diff(), config) + theirs = _load("fossa-sbom-populated.json") + assert set(ours["project"].keys()) == set(theirs["project"].keys()) + + +def test_our_sbom_dependency_keys_match_when_populated(): + """When we have at least one dependency, its keyset matches a real FOSSA dependency entry.""" + from socketsecurity.fossa_compat import build_fossa_attribution_payload + from socketsecurity.config import CliConfig + from socketsecurity.core.classes import Diff, Package + pkg = Package( + type="pypi", name="x", version="1.0", id="pid", + score={}, alerts=[], direct=True, + ) + diff = Diff(packages={"pid": pkg}) + config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + ours = build_fossa_attribution_payload(diff, config) + theirs = _load("fossa-sbom-populated.json") + our_dep = ours["directDependencies"][0] + their_dep = theirs["directDependencies"][0] + assert set(our_dep.keys()) == set(their_dep.keys()) From 8ec189b0d90cfd65df372b172952fafcc1533e02 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:49:56 -0700 Subject: [PATCH 28/33] test: update legacy FOSSA-shape assertions for wrapper parity Pin project.id to dollar separator, replace 2-key SBOM with 5-key shape, and update per-dependency assertions to the 14-key _build_dependency_entry contract. --- tests/unit/test_output.py | 2 +- tests/unit/test_socketcli.py | 43 +++++++++++++++++++----------------- 2 files changed, 24 insertions(+), 21 deletions(-) diff --git a/tests/unit/test_output.py b/tests/unit/test_output.py index c5f2e02..f8700f5 100644 --- a/tests/unit/test_output.py +++ b/tests/unit/test_output.py @@ -322,7 +322,7 @@ def test_json_file_saving_in_fossa_format(self, tmp_path): saved = json.loads(json_path.read_text()) assert saved["project"] == { "branch": "refs/heads/main", - "id": "owner/repo-scan-123", + "id": "owner/repo$scan-123", "project": "owner/repo", "projectId": "owner/repo", "revision": "scan-123", diff --git a/tests/unit/test_socketcli.py b/tests/unit/test_socketcli.py index c46c4d8..9ee91be 100644 --- a/tests/unit/test_socketcli.py +++ b/tests/unit/test_socketcli.py @@ -57,15 +57,11 @@ class Config: payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) assert payload == { - "project": { - "branch": "main", - "id": "owner/repo-scan-1", - "project": "owner/repo", - "projectId": "owner/repo", - "revision": "scan-1", - "url": "https://socket.dev/report/1", - }, - "dependencies": [], + "copyrightsByLicense": {}, + "deepDependencies": [], + "directDependencies": [], + "licenses": {}, + "project": {"name": "owner/repo", "revision": "scan-1"}, } @@ -115,16 +111,23 @@ class Config: payload = build_license_artifact_payload(diff, legal_format="fossa", config=Config()) - assert payload["project"]["projectId"] == "owner/repo" - assert payload["dependencies"] == [{ - "id": "pkg-1", - "name": "requests", + assert payload["project"] == {"name": "owner/repo", "revision": "scan-1"} + assert payload["directDependencies"] == [{ + "authors": [], + "dependencyPaths": ["requests"], + "description": "", + "downloadUrl": "", + "hash": None, + "isGolang": None, + "licenses": [{"attribution": "", "name": "Apache-2.0"}], + "notes": [], + "otherLicenses": [], + "package": "requests", + "projectUrl": "", + "source": "pip", + "title": "requests", "version": "2.31.0", - "ecosystem": "pip", - "direct": True, - "url": "https://socket.dev/pypi/package/requests/overview/2.31.0", - "purl": "pkg:pypi/requests@2.31.0", - "declaredLicense": "Apache-2.0", - "licenseDetails": [{"id": "Apache-2.0"}], - "licenseAttrib": [{"id": "Apache-2.0"}], }] + assert payload["deepDependencies"] == [] + assert payload["copyrightsByLicense"] == {} + assert payload["licenses"] == {} From 0e81004f57530f7cc9588dc4ec60004ac8ed41ac Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 13:54:56 -0700 Subject: [PATCH 29/33] docs: document partialFix/completeFix collapse and otherLicenses gap --- socketsecurity/fossa_compat.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index b8938bc..cf7df3d 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -20,12 +20,14 @@ containerLayers -> {base: 0, other: 0} customRiskScore -> None remediation.partialFixDistance, completeFixDistance -> None (semver-distance TBD) + remediation.partialFix, completeFix -> same Socket fix version + (Socket has no partial/complete distinction) projects[].scannedAt, analyzedAt, firstFoundAt -> None dependencies[] (SBOM): description, downloadUrl, projectUrl -> "" hash, isGolang -> None (always null in real FOSSA samples) - notes -> [] + notes, otherLicenses -> [] Top-level SBOM: copyrightsByLicense -> {} (would require parsing attribText for `Copyright (c)` lines) From fbce1e4c2abf0fc776e0a00ff7c8230ba21227b9 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Tue, 26 May 2026 14:25:00 -0700 Subject: [PATCH 30/33] style: apply ruff --fix to touched files --- socketsecurity/fossa_compat.py | 1 - socketsecurity/socketcli.py | 8 ++-- tests/unit/test_fossa_compat.py | 1 - tests/unit/test_fossa_parity.py | 10 ++-- tests/unit/test_output.py | 82 ++++++++++++++++++++++----------- tests/unit/test_socketcli.py | 3 +- 6 files changed, 66 insertions(+), 39 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index cf7df3d..224f953 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -40,7 +40,6 @@ from socketsecurity.config import CliConfig from socketsecurity.core.classes import Diff, Issue, Package - LICENSE_ALERT_TYPES = {"licenseSpdxDisj"} QUALITY_ALERT_PREFIXES = ("risk", "quality", "outdated", "unmaintained") diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py index e83b994..26823cc 100644 --- a/socketsecurity/socketcli.py +++ b/socketsecurity/socketcli.py @@ -1,9 +1,8 @@ import json import os +import shutil import sys import traceback -import shutil -import warnings from datetime import datetime, timezone from uuid import uuid4 @@ -11,6 +10,7 @@ from git import InvalidGitRepositoryError, NoSuchPathError from socketdev import socketdev from socketdev.fullscans import FullScanParams + from socketsecurity.config import CliConfig from socketsecurity.core import Core from socketsecurity.core.classes import Diff @@ -161,7 +161,7 @@ def main_code(): # Check if plan matches enterprise* pattern (enterprise, enterprise_trial, etc.) if not org_plan.startswith('enterprise'): - log.error(f"Reachability analysis is only available for enterprise plans.") + log.error("Reachability analysis is only available for enterprise plans.") log.error(f"Your organization plan is: {org_plan}") log.error("Please upgrade to an enterprise plan to use reachability analysis.") sys.exit(3) @@ -346,7 +346,7 @@ def main_code(): continue_on_no_source_files=config.reach_continue_on_no_source_files, ) - log.info(f"Reachability analysis completed successfully") + log.info("Reachability analysis completed successfully") log.info(f"Results written to: {result['report_path']}") if result.get('scan_id'): log.info(f"Reachability scan ID: {result['scan_id']}") diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index c1c18e2..c2e87a7 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -5,7 +5,6 @@ build_fossa_report_payload, ) - EXPECTED_TOP_LEVEL_KEYS = ["project", "vulnerability", "licensing", "quality"] EXPECTED_PROJECT_KEYS = ["branch", "id", "project", "projectId", "revision", "url"] EXPECTED_VULNERABILITY_KEYS = [ diff --git a/tests/unit/test_fossa_parity.py b/tests/unit/test_fossa_parity.py index 5e0baea..2a408d8 100644 --- a/tests/unit/test_fossa_parity.py +++ b/tests/unit/test_fossa_parity.py @@ -49,9 +49,9 @@ def test_sbom_fixture_top_level_shape(): def test_our_analyze_matches_fossa_analyze_top_level_keys(): """Our build_fossa_report_payload top-level keyset matches the real fixture.""" - from socketsecurity.fossa_compat import build_fossa_report_payload from socketsecurity.config import CliConfig from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_report_payload config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) ours = build_fossa_report_payload(Diff(), config) theirs = _load("fossa-analyze-empty.json") @@ -59,9 +59,9 @@ def test_our_analyze_matches_fossa_analyze_top_level_keys(): def test_our_analyze_project_keys_match(): - from socketsecurity.fossa_compat import build_fossa_report_payload from socketsecurity.config import CliConfig from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_report_payload config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) ours = build_fossa_report_payload(Diff(), config) theirs = _load("fossa-analyze-empty.json") @@ -69,9 +69,9 @@ def test_our_analyze_project_keys_match(): def test_our_sbom_matches_fossa_sbom_top_level_keys(): - from socketsecurity.fossa_compat import build_fossa_attribution_payload from socketsecurity.config import CliConfig from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_attribution_payload config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) ours = build_fossa_attribution_payload(Diff(), config) theirs = _load("fossa-sbom-populated.json") @@ -79,9 +79,9 @@ def test_our_sbom_matches_fossa_sbom_top_level_keys(): def test_our_sbom_project_keys_match(): - from socketsecurity.fossa_compat import build_fossa_attribution_payload from socketsecurity.config import CliConfig from socketsecurity.core.classes import Diff + from socketsecurity.fossa_compat import build_fossa_attribution_payload config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) ours = build_fossa_attribution_payload(Diff(), config) theirs = _load("fossa-sbom-populated.json") @@ -90,9 +90,9 @@ def test_our_sbom_project_keys_match(): def test_our_sbom_dependency_keys_match_when_populated(): """When we have at least one dependency, its keyset matches a real FOSSA dependency entry.""" - from socketsecurity.fossa_compat import build_fossa_attribution_payload from socketsecurity.config import CliConfig from socketsecurity.core.classes import Diff, Package + from socketsecurity.fossa_compat import build_fossa_attribution_payload pkg = Package( type="pypi", name="x", version="1.0", id="pid", score={}, alerts=[], direct=True, diff --git a/tests/unit/test_output.py b/tests/unit/test_output.py index f8700f5..c4271e7 100644 --- a/tests/unit/test_output.py +++ b/tests/unit/test_output.py @@ -1,13 +1,17 @@ +import json + import pytest -from socketsecurity.output import OutputHandler + from socketsecurity.core.classes import Diff, Issue, Package -import json +from socketsecurity.output import OutputHandler + class TestOutputHandler: @pytest.fixture def handler(self): - from socketsecurity.config import CliConfig from unittest.mock import Mock + + from socketsecurity.config import CliConfig config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = False @@ -25,8 +29,9 @@ def test_report_pass_with_blocking_issues(self, handler): assert not handler.report_pass(diff) def test_report_pass_with_blocking_disabled(self): - from socketsecurity.config import CliConfig from unittest.mock import Mock + + from socketsecurity.config import CliConfig config = Mock(spec=CliConfig) config.disable_blocking = True config.strict_blocking = False @@ -65,9 +70,10 @@ def test_json_output_format(self, handler, caplog): def test_json_output_includes_unchanged_alerts_with_strict_blocking(self, caplog): import logging - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -131,9 +137,10 @@ def test_sbom_file_saving_without_sbom_writes_empty_array(self, handler, tmp_pat assert json.loads(sbom_path.read_text()) == [] def test_json_file_saving(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + json_path = tmp_path / "report.json" config = Mock(spec=CliConfig) @@ -186,9 +193,10 @@ def test_json_file_saving(self, tmp_path): assert saved["legal_mode"] is True def test_summary_and_report_link_files_are_written(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + summary_path = tmp_path / "summary.txt" report_link_path = tmp_path / "report-link.txt" @@ -238,9 +246,10 @@ def test_summary_and_report_link_files_are_written(self, tmp_path): assert report_link_path.read_text().strip() == "https://socket.dev/report/123" def test_json_file_saving_in_fossa_format(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + json_path = tmp_path / "fossa-report.json" config = Mock(spec=CliConfig) @@ -338,9 +347,10 @@ def test_json_file_saving_in_fossa_format(self, tmp_path): def test_report_pass_with_strict_blocking_new_alerts(self): """Test that strict-blocking fails on new blocking alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + # Create config with strict_blocking config = Mock(spec=CliConfig) config.disable_blocking = False @@ -356,9 +366,10 @@ def test_report_pass_with_strict_blocking_new_alerts(self): def test_report_pass_with_strict_blocking_unchanged_alerts(self): """Test that strict-blocking fails on unchanged blocking alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -373,9 +384,10 @@ def test_report_pass_with_strict_blocking_unchanged_alerts(self): def test_report_pass_with_strict_blocking_both_alerts(self): """Test that strict-blocking fails when both new and unchanged alerts exist""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -390,9 +402,10 @@ def test_report_pass_with_strict_blocking_both_alerts(self): def test_report_pass_with_strict_blocking_only_warnings(self): """Test that strict-blocking passes when only warnings (not errors) exist""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = True @@ -407,9 +420,10 @@ def test_report_pass_with_strict_blocking_only_warnings(self): def test_report_pass_strict_blocking_disabled(self): """Test that strict-blocking without the flag passes with unchanged alerts""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = False config.strict_blocking = False # Flag not set @@ -425,9 +439,10 @@ def test_report_pass_strict_blocking_disabled(self): def test_disable_blocking_overrides_strict_blocking(self): """Test that disable-blocking takes precedence over strict-blocking""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.disable_blocking = True config.strict_blocking = True @@ -443,9 +458,10 @@ def test_disable_blocking_overrides_strict_blocking(self): def test_sarif_file_output(self, tmp_path): """Test that --sarif-file writes SARIF report to a file""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -481,9 +497,10 @@ def test_sarif_file_output(self, tmp_path): def test_sarif_reachability_reachable_filters_non_reachable(self, tmp_path): """Test that --sarif-reachability reachable uses .socket.facts.json reachability.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" facts_path = tmp_path / ".socket.facts.json" @@ -556,9 +573,10 @@ def make_issue(name, error, ghsa_id): def test_sarif_reachability_reachable_falls_back_to_blocking_when_facts_missing(self, tmp_path): """Test that missing facts file falls back to historical blocking filter.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -595,9 +613,10 @@ def test_sarif_reachability_reachable_falls_back_to_blocking_when_facts_missing( def test_sarif_output_includes_unchanged_with_strict_blocking(self, tmp_path): """Strict blocking should include unchanged alerts in diff-scope SARIF output.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path_strict_false = tmp_path / "strict-false.sarif" sarif_path_strict_true = tmp_path / "strict-true.sarif" @@ -650,9 +669,10 @@ def build_diff(): def test_sarif_reachability_all_includes_all(self, tmp_path): """Test that --sarif-reachability all includes all alerts.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "report.sarif" config = Mock(spec=CliConfig) @@ -689,9 +709,10 @@ def test_sarif_reachability_all_includes_all(self, tmp_path): def test_sarif_no_file_when_not_configured(self, tmp_path): """Test that no file is written when --sarif-file is not set""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + config = Mock(spec=CliConfig) config.sarif_file = None config.sarif_scope = "diff" @@ -710,9 +731,10 @@ def test_sarif_no_file_when_not_configured(self, tmp_path): def test_sarif_file_nested_directory(self, tmp_path): """Test that --sarif-file creates parent directories if needed""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + sarif_path = tmp_path / "nested" / "dir" / "report.sarif" config = Mock(spec=CliConfig) @@ -735,9 +757,10 @@ def test_sarif_file_nested_directory(self, tmp_path): def test_sarif_scope_full_before_after_reachable_filtering_snapshot(self, tmp_path): """Full-scope SARIF should show before/after changes with reachable-only filtering.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" all_path = tmp_path / "full-all.sarif" reachable_path = tmp_path / "full-reachable.sarif" @@ -804,9 +827,10 @@ def build_handler(output_path, reachable_only): def test_sarif_scope_full_works_when_diff_not_run(self, tmp_path): """Full scope should still emit SARIF when diff id is NO_DIFF_RAN.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-no-diff.sarif" @@ -849,9 +873,10 @@ def test_sarif_scope_full_works_when_diff_not_run(self, tmp_path): def test_sarif_scope_full_dedupes_duplicate_manifest_uris(self, tmp_path): """Full scope should not emit duplicate results for duplicate manifest entries.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-dedup.sarif" @@ -891,9 +916,10 @@ def test_sarif_scope_full_dedupes_duplicate_manifest_uris(self, tmp_path): def test_sarif_scope_full_with_sarif_file_suppresses_stdout(self, tmp_path, capsys): """Full scope + --sarif-file should avoid printing massive SARIF JSON to stdout.""" - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + facts_path = tmp_path / ".socket.facts.json" out_path = tmp_path / "full-suppressed.sarif" @@ -931,9 +957,10 @@ def test_sarif_scope_full_with_sarif_file_suppresses_stdout(self, tmp_path, caps assert out_path.exists() def test_sarif_scope_full_alert_grouping_dedupes_versions(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + out_path = tmp_path / "full-alert-grouping.sarif" facts_path = tmp_path / ".socket.facts.json" facts_path.write_text(json.dumps({ @@ -981,9 +1008,10 @@ def test_sarif_scope_full_alert_grouping_dedupes_versions(self, tmp_path): assert props["reachability"] == "reachable" def test_sarif_scope_full_potentially_filter(self, tmp_path): - from socketsecurity.config import CliConfig from unittest.mock import Mock + from socketsecurity.config import CliConfig + out_path = tmp_path / "full-potentially.sarif" facts_path = tmp_path / ".socket.facts.json" facts_path.write_text(json.dumps({ diff --git a/tests/unit/test_socketcli.py b/tests/unit/test_socketcli.py index 9ee91be..e48788a 100644 --- a/tests/unit/test_socketcli.py +++ b/tests/unit/test_socketcli.py @@ -68,9 +68,10 @@ class Config: def test_fossa_attribution_file_is_written_indented(tmp_path): """fossa-sbom.json should be written with indent=2, matching fossa-analyze.json.""" import json - from socketsecurity import socketcli from types import SimpleNamespace + from socketsecurity import socketcli + target = tmp_path / "fossa-sbom.json" config = SimpleNamespace(license_file_name=str(target)) payload = { From ff9edd1b68919e7963a190497995032f373702f9 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Wed, 27 May 2026 15:11:47 -0700 Subject: [PATCH 31/33] fix: always include unchanged alerts in FOSSA output FOSSA's /api/v2/issues endpoint returns a point-in-time snapshot of all issues at the scan revision, not only diff-new ones. The previous implementation only included unchanged alerts when --strict-blocking was set, causing FOSSA-mode output to under-represent project-wide findings compared to the typical FOSSA pipeline. --- socketsecurity/fossa_compat.py | 8 ++++++-- tests/unit/test_fossa_compat.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py index 224f953..0be11a9 100644 --- a/socketsecurity/fossa_compat.py +++ b/socketsecurity/fossa_compat.py @@ -323,9 +323,13 @@ def _build_quality_entry( def _iter_selected_issues(diff_report: Diff, config: CliConfig) -> Iterable[Issue]: + """Yield all currently-present issues (new + unchanged) to match FOSSA's + /api/v2/issues behavior, which returns a point-in-time snapshot of all + issues at the scan revision, not only diff-new ones. The `config` argument + is retained for signature stability but no longer gates output. + """ yield from getattr(diff_report, "new_alerts", []) or [] - if getattr(config, "strict_blocking", False): - yield from getattr(diff_report, "unchanged_alerts", []) or [] + yield from getattr(diff_report, "unchanged_alerts", []) or [] def _classify_issue(issue: Issue) -> str: diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py index c2e87a7..fadaf03 100644 --- a/tests/unit/test_fossa_compat.py +++ b/tests/unit/test_fossa_compat.py @@ -435,3 +435,36 @@ def test_vulnerability_version_ranges_sourced_from_socket_fields(): assert entry["patchedVersionRanges"] == ["2.31.1"] assert entry["remediation"]["partialFix"] == "2.31.1" assert entry["remediation"]["completeFix"] == "2.31.1" + + +def test_fossa_payload_includes_unchanged_alerts_regardless_of_strict_blocking(): + """FOSSA emits all currently-present issues at the scan revision, not just + diff-new ones. So `unchanged_alerts` must always flow into the payload, + independent of the --strict-blocking flag.""" + new_issue = Issue( + type="criticalCVE", severity="high", key="NEW", + pkg_type="pypi", pkg_name="a", pkg_version="1.0", + props={"cveId": "CVE-2024-NEW", "ghsaId": "GHSA-new"}, + ) + unchanged_issue = Issue( + type="criticalCVE", severity="high", key="OLD", + pkg_type="pypi", pkg_name="b", pkg_version="1.0", + props={"cveId": "CVE-2024-OLD", "ghsaId": "GHSA-old"}, + ) + diff = Diff(new_alerts=[new_issue], unchanged_alerts=[unchanged_issue]) + + # strict_blocking off (default): + config_loose = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"]) + payload_loose = build_fossa_report_payload(diff, config_loose) + loose_cves = sorted(v["cve"] for v in payload_loose["vulnerability"]) + assert loose_cves == ["CVE-2024-NEW", "CVE-2024-OLD"], ( + "FOSSA mode must include unchanged_alerts even without --strict-blocking" + ) + + # strict_blocking on — same result (always include both): + config_strict = CliConfig.from_args( + ["--api-token", "test", "--legal-format", "fossa", "--strict-blocking"] + ) + payload_strict = build_fossa_report_payload(diff, config_strict) + strict_cves = sorted(v["cve"] for v in payload_strict["vulnerability"]) + assert strict_cves == loose_cves From fee62dea9e519c980df2eb121dfb7698a7a4da3c Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Wed, 27 May 2026 15:12:50 -0700 Subject: [PATCH 32/33] test: sanitize customer references in FOSSA reference fixtures Replace customer org ID and project name with generic placeholders (1234/example-validation-project) across all four fixtures and the README. Structural shape, key sets, value types, and per-field cardinality are unchanged. Parity tests assert keysets only, so the substitution is transparent to test behavior. --- tests/fixtures/fossa/README.md | 20 ++- tests/fixtures/fossa/fossa-analyze-empty.json | 8 +- .../fossa/fossa-analyze-populated.json | 118 +++++++++--------- .../fixtures/fossa/fossa-sbom-empty-deep.json | 2 +- .../fixtures/fossa/fossa-sbom-populated.json | 2 +- 5 files changed, 79 insertions(+), 71 deletions(-) diff --git a/tests/fixtures/fossa/README.md b/tests/fixtures/fossa/README.md index 72b3401..853d716 100644 --- a/tests/fixtures/fossa/README.md +++ b/tests/fixtures/fossa/README.md @@ -1,10 +1,18 @@ # FOSSA reference fixtures -Captured from a UiPath Azure DevOps pipeline (CE-199, build 12109922) for parity testing. +Real `fossa analyze` and `fossa report --json attribution` artifacts captured +from a representative Azure DevOps FOSSA pipeline run, used as the +structural-parity baseline for `--legal-format fossa` output. -- `fossa-analyze-populated.json` — composed FOSSA analyze artifact with 11 vulnerabilities. -- `fossa-analyze-empty.json` — composed FOSSA analyze artifact with zero vulnerabilities. -- `fossa-sbom-populated.json` — `fossa report --json attribution` output with direct + deep dependencies. -- `fossa-sbom-empty-deep.json` — attribution output with empty `deepDependencies`. +Customer-identifying values (org IDs, project names) have been sanitized; the +structural shape, key sets, value types, and per-field cardinality match the +real artifacts byte-for-byte aside from those substitutions. -Source assets retained at `assets/` (gitignored) for reference. These four files are the structural-parity baseline. +- `fossa-analyze-populated.json` — composed FOSSA analyze artifact with + vulnerabilities present. +- `fossa-analyze-empty.json` — composed FOSSA analyze artifact with zero + vulnerabilities. +- `fossa-sbom-populated.json` — `fossa report --json attribution` output with + direct + deep dependencies. +- `fossa-sbom-empty-deep.json` — attribution output with empty + `deepDependencies`. diff --git a/tests/fixtures/fossa/fossa-analyze-empty.json b/tests/fixtures/fossa/fossa-analyze-empty.json index 114c0c8..fd7efa3 100644 --- a/tests/fixtures/fossa/fossa-analyze-empty.json +++ b/tests/fixtures/fossa/fossa-analyze-empty.json @@ -1,11 +1,11 @@ { "project": { "branch": "refs/heads/master", - "id": "custom+6060/DevTools-Validation-Pipeline-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", - "project": "6060/DevTools-Validation-Pipeline", - "projectId": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", + "project": "1234/example-validation-project", + "projectId": "custom+1234/example-validation-project", "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux", - "url": "https://app.fossa.com/account/saml/6060?next=/projects/custom%252b6060%252fDevTools-Validation-Pipeline/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux" + "url": "https://app.fossa.com/account/saml/1234?next=/projects/custom%252b1234%252fexample-validation-project/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-linux" }, "vulnerability": [], "licensing": [], diff --git a/tests/fixtures/fossa/fossa-analyze-populated.json b/tests/fixtures/fossa/fossa-analyze-populated.json index 5d0d5f5..515fed9 100644 --- a/tests/fixtures/fossa/fossa-analyze-populated.json +++ b/tests/fixtures/fossa/fossa-analyze-populated.json @@ -1,11 +1,11 @@ { "project": { "branch": "refs/heads/master", - "id": "custom+6060/DevTools-Validation-Pipeline-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", - "project": "6060/DevTools-Validation-Pipeline", - "projectId": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "project": "1234/example-validation-project", + "projectId": "custom+1234/example-validation-project", "revision": "12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", - "url": "https://app.fossa.com/account/saml/6060?next=/projects/custom%252b6060%252fDevTools-Validation-Pipeline/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux" + "url": "https://app.fossa.com/account/saml/1234?next=/projects/custom%252b1234%252fexample-validation-project/refs/branch/refs%252fheads%252fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux" }, "vulnerability": [ { @@ -33,21 +33,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 2, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2025-10-08T10:41:05.933+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088939?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088939?revisionScanId=106820047", "vulnId": "CVE-2024-39689_pip+certifi", "title": "Insufficient Verification of Data Authenticity", "cve": "CVE-2024-39689", @@ -149,21 +149,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 2, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2025-10-08T10:41:05.933+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088937?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088937?revisionScanId=106820047", "vulnId": "CVE-2024-3651_pip+idna", "title": "Uncontrolled Resource Consumption", "cve": "CVE-2024-3651", @@ -267,21 +267,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 1, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2026-05-20T14:40:25.221+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/15980738?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/15980738?revisionScanId=106820047", "vulnId": "CVE-2026-25645_pip+requests", "title": "Insecure Temporary File", "cve": "CVE-2026-25645", @@ -380,21 +380,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 1, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2025-10-08T10:41:05.933+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088938?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/11088938?revisionScanId=106820047", "vulnId": "CVE-2024-47081_pip+requests", "title": "Insufficiently Protected Credentials", "cve": "CVE-2024-47081", @@ -500,21 +500,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 1, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2025-10-08T10:41:05.933+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643353?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643353?revisionScanId=106820047", "vulnId": "CVE-2024-35195_pip+requests", "title": "Always-Incorrect Control Flow Implementation", "cve": "CVE-2024-35195", @@ -615,21 +615,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 1, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2025-10-08T10:41:05.933+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643352?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/9643352?revisionScanId=106820047", "vulnId": "CVE-2023-32681_pip+requests", "title": "Exposure of Sensitive Information to an Unauthorized Actor", "cve": "CVE-2023-32681", @@ -735,21 +735,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 2, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2026-05-20T14:40:25.221+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/17096816?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/17096816?revisionScanId=106820047", "vulnId": "CVE-2026-44431_pip+urllib3", "title": "Exposure of Sensitive Information to an Unauthorized Actor", "cve": "CVE-2026-44431", @@ -844,21 +844,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 2, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2026-02-20T18:40:20.814+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14594289?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14594289?revisionScanId=106820047", "vulnId": "CVE-2026-21441_pip+urllib3", "title": "Improper Handling of Highly Compressed Data (Data Amplification)", "cve": "CVE-2026-21441", @@ -957,21 +957,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 2, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2026-02-20T18:40:20.814+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169171?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169171?revisionScanId=106820047", "vulnId": "CVE-2025-66418_pip+urllib3", "title": "Allocation of Resources Without Limits or Throttling", "cve": "CVE-2025-66418", @@ -1069,21 +1069,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 2, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2026-02-20T18:40:20.814+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169170?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/14169170?revisionScanId=106820047", "vulnId": "CVE-2025-66471_pip+urllib3", "title": "Improper Handling of Highly Compressed Data (Data Amplification)", "cve": "CVE-2025-66471", @@ -1181,21 +1181,21 @@ }, "projects": [ { - "id": "custom+6060/DevTools-Validation-Pipeline", + "id": "custom+1234/example-validation-project", "status": "active", "depth": 2, - "title": "DevTools-Validation-Pipeline", + "title": "example-validation-project", "scannedAt": "2026-05-21T17:48:13.555+00:00", "analyzedAt": "2026-05-21T17:48:02.821Z", - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project", "firstFoundAt": "2025-10-08T10:41:05.933+00:00", "defaultBranch": "refs/heads/test-fossa-scans", "latest": false, - "revisionId": "custom+6060/DevTools-Validation-Pipeline$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", + "revisionId": "custom+1234/example-validation-project$12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux", "revisionScanId": 106820047 } ], - "url": "https://app.fossa.com/projects/custom%2B6060%2FDevTools-Validation-Pipeline/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/10198614?revisionScanId=106820047", + "url": "https://app.fossa.com/projects/custom%2B6060%2Fexample-validation-project/refs/branch/refs%2Fheads%2Fmaster/12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux/issues/vulnerability/10198614?revisionScanId=106820047", "vulnId": "CVE-2025-50181_pip+urllib3", "title": "URL Redirection to Untrusted Site ('Open Redirect')", "cve": "CVE-2025-50181", diff --git a/tests/fixtures/fossa/fossa-sbom-empty-deep.json b/tests/fixtures/fossa/fossa-sbom-empty-deep.json index d0e69c9..f3cf63e 100644 --- a/tests/fixtures/fossa/fossa-sbom-empty-deep.json +++ b/tests/fixtures/fossa/fossa-sbom-empty-deep.json @@ -1 +1 @@ -{"copyrightsByLicense":{"MIT":["2013 Fatih Arslan","2016 Yasuhiro Matsumoto","Yasuhiro MATSUMOTO "]},"deepDependencies":[{"authors":["mattn","hymkor","koron","alecrabbit","dolmen","tklauser","ikedam","toshimaru","mislav","ncw","aviau","cenkalti","whereswaldon","secDre4mer","alexandear","radeksimko","segrey","magicshui","filimonov","naoyukis","rbtnn","tyru","uji"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable"],"description":"Cached by the Go Module Proxy at Wed, 29 Sep 2021 16:02:39 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-colorable/@v/v0.1.9.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2016 Yasuhiro Matsumoto\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-colorable","projectUrl":"http://godoc.org/github.com/mattn/go-colorable","source":"go","title":"github.com/mattn/go-colorable","version":"v0.1.9"},{"authors":["mattn","tklauser","thesyncim","dolmen","renovate[bot]","shogo82148","aeppert","grafov","carlosedp","mysqto","dkegel-fastly","dmgk","ddevault","Mischi","fatih","cookieY","lgonzalez-silen","mahdi-hm","marcauberer","martinlindhe","ncw","radeksimko","sthibaul","CaptainCodeman","tjni","stuartnelson3"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable > github.com/mattn/go-isatty","github.com/fatih/color > github.com/mattn/go-isatty"],"description":"Cached by the Go Module Proxy at Sun, 29 Aug 2021 14:41:14 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-isatty/@v/v0.0.14.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Yasuhiro MATSUMOTO \nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-isatty","projectUrl":"http://godoc.org/github.com/mattn/go-isatty","source":"go","title":"github.com/mattn/go-isatty","version":"v0.0.14"}],"directDependencies":[{"authors":["fatih","dependabot[bot]","gregpoirson","pellared","n10v","sashamelentyev","bl-ue","zddhub","ataypamart","pattmax00","qualidafial","martinlindhe","msabramo","rhysd","Tonkpils","klauspost","jeffwillette","hackebrot","sinan","tliron","morfu","mattn","majiayu000","UnSubble","ilyabrin","hyunsooda","hermanschaaf","DrKhyz","EdwardBetts","dmitris","cenkalti","moorereason","andrewaustin","deining","AlekSi","klaidliadon","ahmetb","achilleas-k"],"dependencyPaths":["github.com/fatih/color"],"description":"Color package for Go (golang)","downloadUrl":"https://proxy.golang.org/github.com/fatih/color/@v/v1.13.0.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2013 Fatih Arslan\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/fatih/color","projectUrl":"https://pkg.go.dev/github.com/fatih/color","source":"go","title":"github.com/fatih/color","version":"v1.13.0"}],"licenses":{"MIT":"MIT License\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE."},"project":{"name":"DevTools-Validation-Pipeline","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-windows"}} \ No newline at end of file +{"copyrightsByLicense":{"MIT":["2013 Fatih Arslan","2016 Yasuhiro Matsumoto","Yasuhiro MATSUMOTO "]},"deepDependencies":[{"authors":["mattn","hymkor","koron","alecrabbit","dolmen","tklauser","ikedam","toshimaru","mislav","ncw","aviau","cenkalti","whereswaldon","secDre4mer","alexandear","radeksimko","segrey","magicshui","filimonov","naoyukis","rbtnn","tyru","uji"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable"],"description":"Cached by the Go Module Proxy at Wed, 29 Sep 2021 16:02:39 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-colorable/@v/v0.1.9.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2016 Yasuhiro Matsumoto\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-colorable","projectUrl":"http://godoc.org/github.com/mattn/go-colorable","source":"go","title":"github.com/mattn/go-colorable","version":"v0.1.9"},{"authors":["mattn","tklauser","thesyncim","dolmen","renovate[bot]","shogo82148","aeppert","grafov","carlosedp","mysqto","dkegel-fastly","dmgk","ddevault","Mischi","fatih","cookieY","lgonzalez-silen","mahdi-hm","marcauberer","martinlindhe","ncw","radeksimko","sthibaul","CaptainCodeman","tjni","stuartnelson3"],"dependencyPaths":["github.com/fatih/color > github.com/mattn/go-colorable > github.com/mattn/go-isatty","github.com/fatih/color > github.com/mattn/go-isatty"],"description":"Cached by the Go Module Proxy at Sun, 29 Aug 2021 14:41:14 GMT","downloadUrl":"https://proxy.golang.org/github.com/mattn/go-isatty/@v/v0.0.14.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Yasuhiro MATSUMOTO \nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/mattn/go-isatty","projectUrl":"http://godoc.org/github.com/mattn/go-isatty","source":"go","title":"github.com/mattn/go-isatty","version":"v0.0.14"}],"directDependencies":[{"authors":["fatih","dependabot[bot]","gregpoirson","pellared","n10v","sashamelentyev","bl-ue","zddhub","ataypamart","pattmax00","qualidafial","martinlindhe","msabramo","rhysd","Tonkpils","klauspost","jeffwillette","hackebrot","sinan","tliron","morfu","mattn","majiayu000","UnSubble","ilyabrin","hyunsooda","hermanschaaf","DrKhyz","EdwardBetts","dmitris","cenkalti","moorereason","andrewaustin","deining","AlekSi","klaidliadon","ahmetb","achilleas-k"],"dependencyPaths":["github.com/fatih/color"],"description":"Color package for Go (golang)","downloadUrl":"https://proxy.golang.org/github.com/fatih/color/@v/v1.13.0.zip","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2013 Fatih Arslan\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"github.com/fatih/color","projectUrl":"https://pkg.go.dev/github.com/fatih/color","source":"go","title":"github.com/fatih/color","version":"v1.13.0"}],"licenses":{"MIT":"MIT License\nCopyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE."},"project":{"name":"example-validation-project","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-go-windows"}} \ No newline at end of file diff --git a/tests/fixtures/fossa/fossa-sbom-populated.json b/tests/fixtures/fossa/fossa-sbom-populated.json index 3a2d4ec..303f92c 100644 --- a/tests/fixtures/fossa/fossa-sbom-populated.json +++ b/tests/fixtures/fossa/fossa-sbom-populated.json @@ -1 +1 @@ -{"copyrightsByLicense":{"Apache-2.0":["Amazon.com, Inc. or its affiliates. All Rights Reserved."," Amazon.com, Inc. or its affiliates. All Rights Reserved.","2015 Google Inc. All rights reserved."],"BSD-3-Clause":["2013-2023 Kim Davies and contributors.","2022 Intel Corporation","2023 Intel Corporation","2019 Google LLC","2024 Arm Limited and/or its affiliates ","2022-2023 Intel Corporation","2021 Serge Sans Paille","2010 Jonathan Hartley","2014 Bibek Kafle and Roland Shoemaker","2014 John MacFarlane","Individual contributors.","2015 The Go Authors. All rights reserved."," Individual contributors.","2005-2020 NumPy Developers."],"CC-BY-SA-4.0":[],"IETF":[],"MIT":["2020 Will McGugan"," Sindre Sorhus (sindresorhus.com)","2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2012-2013 Mitch Garnaat http://garnaat.org/","2012-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz.","2010-2020 Benjamin Peterson","2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)","2015-2016 Will Bond ","2012 Senko Rasic ","2008-2020 Andrey Petrov and contributors.","2019 TAHRI Ahmed R."],"MPL-2.0":["2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2019-2022 Pyodide contributors and Mozilla","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz."]},"deepDependencies":[{"authors":["me@kennethreitz.com"],"dependencyPaths":["requests > certifi"],"description":"Python package for providing Mozilla's CA Bundle.","downloadUrl":"https://files.pythonhosted.org/packages/d4/91/c89518dd4fe1f3a4e3f6ab7ff23cb00ef2e8c9adf99dacc618ad5e068e28/certifi-2023.11.17.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n","name":"MPL-2.0"}],"notes":[],"otherLicenses":[],"package":"certifi","projectUrl":"https://github.com/certifi/python-certifi","source":"pip","title":"certifi","version":"2023.11.17"},{"authors":["\"Ahmed R. TAHRI\" "],"dependencyPaths":["requests > charset-normalizer"],"description":"The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.","downloadUrl":"https://files.pythonhosted.org/packages/56/31/7bcaf657fafb3c6db8c787a865434290b726653c912085fbd371e9b92e1c/charset-normalizer-2.0.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"charset-normalizer","projectUrl":"https://pypi.org/project/charset-normalizer/","source":"pip","title":"charset-normalizer","version":"2.0.12"},{"authors":["Jonathan Hartley "],"dependencyPaths":["rich > colorama"],"description":"Cross-platform colored terminal text.","downloadUrl":"https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2010 Jonathan Hartley\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holders, nor those of its contributors\n may be used to endorse or promote products derived from this software without\n specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"colorama","projectUrl":"https://pypi.org/project/colorama/","source":"pip","title":"colorama","version":"0.4.6"},{"authors":["rolandshoemaker@gmail.com"],"dependencyPaths":["rich > commonmark"],"description":"commonmark.py\n=============\n\ncommonmark.py is a pure Python port of `jgm `__'s\n`commonmark.js `__, a\nMarkdown parser and renderer for the\n`CommonMark `__ specification, using only native\nmodules. Once both this project and the CommonMark specification are\nstable we will release the first ``1.0`` version and attempt to keep up\nto date with changes in ``commonmark.js``.\n\ncommonmark.py is tested against the CommonMark spec with Python versions\n2.7, 3.4, 3.5, 3.6, and 3.7.\n\n**Current version:** 0.9.1\n\n|Pypi Link| |Build Status| |Doc Link|\n\nInstallation\n------------\n\n::\n\n $ pip install commonmark\n\nUsage\n-----\n\n::\n\n >>> import commonmark\n >>> commonmark.commonmark('*hello!*')\n '

hello!

\\n'\n\nOr, without the syntactic sugar:\n\n.. code:: python\n\n import commonmark\n parser = commonmark.Parser()\n ast = parser.parse(\"Hello *World*\")\n\n renderer = commonmark.HtmlRenderer()\n html = renderer.render(ast)\n print(html) #

Hello World

\n\n # inspecting the abstract syntax tree\n json = commonmark.dumpJSON(ast)\n commonmark.dumpAST(ast) # pretty print generated AST structure\n\nThere is also a CLI:\n\n::\n\n $ cmark README.md -o README.html\n $ cmark README.md -o README.json -aj # output AST as JSON\n $ cmark README.md -a # pretty print generated AST structure\n $ cmark -h\n usage: cmark [-h] [-o [O]] [-a] [-aj] [infile]\n\n Process Markdown according to the CommonMark specification.\n\n positional arguments:\n infile Input Markdown file to parse, defaults to stdin\n\n optional arguments:\n -h, --help show this help message and exit\n -o [O] Output HTML/JSON file, defaults to stdout\n -a Print formatted AST\n -aj Output JSON AST\n\n\nContributing\n------------\n\nIf you would like to offer suggestions/optimizations/bugfixes through\npull requests please do! Also if you find an error in the\nparser/renderer that isn't caught by the current test suite please open\na new issue and I would also suggest you send the\n`commonmark.js `__ project\na pull request adding your test to the existing test suite.\n\nTests\n-----\n\nTo work on commonmark.py, you will need to be able to run the test suite to\nmake sure your changes don't break anything. To run the tests, you can do\nsomething like this:\n\n::\n\n $ pyvenv venv\n $ ./venv/bin/python setup.py develop test\n\nThe tests script, ``commonmark/tests/run_spec_tests.py``, is pretty much a devtool. As\nwell as running all the tests embedded in ``spec.txt`` it also allows you\nto run specific tests using the ``-t`` argument, provide information\nabout passed tests with ``-p``, percentage passed by category of test\nwith ``-s``, and enter markdown interactively with ``-i`` (In\ninteractive mode end a block by inputting a line with just ``end``, to\nquit do the same but with ``quit``). ``-d`` can be used to print call\ntracing.\n\n::\n\n $ ./venv/bin/python commonmark/tests/run_spec_tests.py -h\n usage: run_spec_tests.py [-h] [-t T] [-p] [-f] [-i] [-d] [-np] [-s]\n\n script to run the CommonMark specification tests against the commonmark.py\n parser.\n\n optional arguments:\n -h, --help show this help message and exit\n -t T Single test to run or comma separated list of tests (-t 10 or -t 10,11,12,13)\n -p Print passed test information\n -f Print failed tests (during -np...)\n -i Interactive Markdown input mode\n -d Debug, trace calls\n -np Only print section header, tick, or cross\n -s Print percent of tests passed by category\n\nAuthors\n-------\n\n- `Bibek Kafle `__\n- `Roland Shoemaker `__\n- `Nikolas Nyby `__\n\n.. |Pypi Link| image:: https://img.shields.io/pypi/v/commonmark.svg\n :target: https://pypi.org/project/commonmark/\n\n.. |Build Status| image:: https://travis-ci.org/rtfd/commonmark.py.svg?branch=master\n :target: https://travis-ci.org/rtfd/commonmark.py\n\n.. |Doc Link| image:: https://readthedocs.org/projects/commonmarkpy/badge/?version=latest\n :target: https://commonmarkpy.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n\n","downloadUrl":"https://files.pythonhosted.org/packages/60/48/a60f593447e8f0894ebb7f6e6c1f25dafc5e89c5879fdc9360ae93ff83f0/commonmark-0.9.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2014, Bibek Kafle and Roland Shoemaker\r\n\r\nBased on stmd.js: Copyright (c) 2014, John MacFarlane\r\n\r\nAll rights reserved.\r\n\r\nRedistribution and use in source and binary forms, with or without\r\nmodification, are permitted provided that the following conditions are met:\r\n\r\n * Redistributions of source code must retain the above copyright\r\n notice, this list of conditions and the following disclaimer.\r\n\r\n * Redistributions in binary form must reproduce the above\r\n copyright notice, this list of conditions and the following\r\n disclaimer in the documentation and/or other materials provided\r\n with the distribution.\r\n\r\n * Neither the names of Bibek Kafle, Roland Shoemaker nor the names of other\r\n contributors may be used to endorse or promote products derived\r\n from this software without specific prior written permission.\r\n\r\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\r\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\r\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\r\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\r\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\r\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\r\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\r\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\r\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\r\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\r\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[{"attribution":"Attribution-ShareAlike 4.0 International<>\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","name":"CC-BY-SA-4.0"}],"package":"commonmark","projectUrl":"https://github.com/rtfd/commonmark.py","source":"pip","title":"commonmark","version":"0.9.1"},{"authors":["Kim Davies "],"dependencyPaths":["requests > idna"],"description":"Internationalized Domain Names in Applications (IDNA)","downloadUrl":"https://files.pythonhosted.org/packages/bf/3f/ea4b9117521a1e9c50344b909be7886dd00a519552724809bb1f486986c2/idna-3.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"BSD 3-Clause License\n\nCopyright (c) 2013-2023, Kim Davies and contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its\n contributors may be used to endorse or promote products derived from\n this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"idna","projectUrl":"https://pypi.org/project/idna/","source":"pip","title":"idna","version":"3.6"},{"authors":["Andrey Petrov "],"dependencyPaths":["requests > urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/e4/e8/6ff5e6bc22095cfc59b6ea711b687e2b7ed4bdb373f7eeec370a97d7392f/urllib3-1.26.20.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"Copyright 2015 Google Inc. All rights reserved.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\nSee the License for the specific language governing permissions and limitations under the License.","name":"Apache-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"1.26.20"}],"directDependencies":[{"authors":["Amazon Web Services"],"dependencyPaths":["botocore"],"description":"Low-level, data-driven core of boto 3.","downloadUrl":"https://files.pythonhosted.org/packages/6d/a1/95ec376c2300e605225998619c46f7093c515710b9d6d65f891f126f32b6/botocore-1.43.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"Copyright (c) 2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"},{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"botocore","projectUrl":"https://github.com/boto/botocore","source":"pip","title":"botocore","version":"1.43.12"},{"authors":["The Python Cryptographic Authority and individual contributors "],"dependencyPaths":["cryptography"],"description":"cryptography is a package which provides cryptographic recipes and primitives to Python developers.","downloadUrl":"https://files.pythonhosted.org/packages/9f/a9/db8f313fdcd85d767d4973515e1db101f9c71f95fced83233de224673757/cryptography-48.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"},{"attribution":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","name":"IETF"}],"package":"cryptography","projectUrl":"https://pypi.org/project/cryptography/","source":"pip","title":"cryptography","version":"48.0.0"},{"authors":[],"dependencyPaths":["numpy"],"description":null,"downloadUrl":"https://files.pythonhosted.org/packages/d0/ad/fed0499ce6a338d2a03ebae59cd15093910c8875328855781952abf6c2fe/numpy-2.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2005-2020, NumPy Developers.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n * Redistributions in binary form must reproduce the above\n copyright notice, this list of conditions and the following\n disclaimer in the documentation and/or other materials provided\n with the distribution.\n\n * Neither the name of the NumPy Developers nor the names of any\n contributors may be used to endorse or promote products derived\n from this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"numpy","projectUrl":null,"source":"pip","title":"numpy","version":"2.4.6"},{"authors":["Kenneth Reitz "],"dependencyPaths":["requests"],"description":"Python HTTP for Humans.","downloadUrl":"https://files.pythonhosted.org/packages/60/f3/26ff3767f099b73e0efa138a9998da67890793bfa475d8278f84a30fec77/requests-2.27.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[],"package":"requests","projectUrl":"https://pypi.org/project/requests/","source":"pip","title":"requests","version":"2.27.1"},{"authors":["willmcgugan@gmail.com"],"dependencyPaths":["rich"],"description":"Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal","downloadUrl":"https://files.pythonhosted.org/packages/eb/be/bd5d6c37f5de55f31cb9432e0d926ceeab1b2ee774bd696557b53bc15012/rich-11.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2020 Will McGugan\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"rich","projectUrl":"https://pypi.org/project/rich/","source":"pip","title":"rich","version":"11.0.0"},{"authors":["Andrey Petrov "],"dependencyPaths":["urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"2.7.0"}],"licenses":{"Apache-2.0":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","BSD-3-Clause":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","CC-BY-SA-4.0":"Creative Commons Attribution-ShareAlike 4.0 International Creative Commons Corporation (\"Creative Commons\") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an \"as-is\" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" The text of the Creative Commons public licenses is dedicated to the public domain under the CC0 Public Domain Dedication. Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","IETF":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","MIT":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","MPL-2.0":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n"},"project":{"name":"DevTools-Validation-Pipeline","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux"}} +{"copyrightsByLicense":{"Apache-2.0":["Amazon.com, Inc. or its affiliates. All Rights Reserved."," Amazon.com, Inc. or its affiliates. All Rights Reserved.","2015 Google Inc. All rights reserved."],"BSD-3-Clause":["2013-2023 Kim Davies and contributors.","2022 Intel Corporation","2023 Intel Corporation","2019 Google LLC","2024 Arm Limited and/or its affiliates ","2022-2023 Intel Corporation","2021 Serge Sans Paille","2010 Jonathan Hartley","2014 Bibek Kafle and Roland Shoemaker","2014 John MacFarlane","Individual contributors.","2015 The Go Authors. All rights reserved."," Individual contributors.","2005-2020 NumPy Developers."],"CC-BY-SA-4.0":[],"IETF":[],"MIT":["2020 Will McGugan"," Sindre Sorhus (sindresorhus.com)","2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2012-2013 Mitch Garnaat http://garnaat.org/","2012-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz.","2010-2020 Benjamin Peterson","2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)","2015-2016 Will Bond ","2012 Senko Rasic ","2008-2020 Andrey Petrov and contributors.","2019 TAHRI Ahmed R."],"MPL-2.0":["2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.","2019-2022 Pyodide contributors and Mozilla","2013 Kenneth Reitz","2008-2011 Andrey Petrov and contributors (see CONTRIBUTORS.txt),","2012 Kenneth Reitz."]},"deepDependencies":[{"authors":["me@kennethreitz.com"],"dependencyPaths":["requests > certifi"],"description":"Python package for providing Mozilla's CA Bundle.","downloadUrl":"https://files.pythonhosted.org/packages/d4/91/c89518dd4fe1f3a4e3f6ab7ff23cb00ef2e8c9adf99dacc618ad5e068e28/certifi-2023.11.17.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n","name":"MPL-2.0"}],"notes":[],"otherLicenses":[],"package":"certifi","projectUrl":"https://github.com/certifi/python-certifi","source":"pip","title":"certifi","version":"2023.11.17"},{"authors":["\"Ahmed R. TAHRI\" "],"dependencyPaths":["requests > charset-normalizer"],"description":"The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.","downloadUrl":"https://files.pythonhosted.org/packages/56/31/7bcaf657fafb3c6db8c787a865434290b726653c912085fbd371e9b92e1c/charset-normalizer-2.0.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"charset-normalizer","projectUrl":"https://pypi.org/project/charset-normalizer/","source":"pip","title":"charset-normalizer","version":"2.0.12"},{"authors":["Jonathan Hartley "],"dependencyPaths":["rich > colorama"],"description":"Cross-platform colored terminal text.","downloadUrl":"https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2010 Jonathan Hartley\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holders, nor those of its contributors\n may be used to endorse or promote products derived from this software without\n specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"colorama","projectUrl":"https://pypi.org/project/colorama/","source":"pip","title":"colorama","version":"0.4.6"},{"authors":["rolandshoemaker@gmail.com"],"dependencyPaths":["rich > commonmark"],"description":"commonmark.py\n=============\n\ncommonmark.py is a pure Python port of `jgm `__'s\n`commonmark.js `__, a\nMarkdown parser and renderer for the\n`CommonMark `__ specification, using only native\nmodules. Once both this project and the CommonMark specification are\nstable we will release the first ``1.0`` version and attempt to keep up\nto date with changes in ``commonmark.js``.\n\ncommonmark.py is tested against the CommonMark spec with Python versions\n2.7, 3.4, 3.5, 3.6, and 3.7.\n\n**Current version:** 0.9.1\n\n|Pypi Link| |Build Status| |Doc Link|\n\nInstallation\n------------\n\n::\n\n $ pip install commonmark\n\nUsage\n-----\n\n::\n\n >>> import commonmark\n >>> commonmark.commonmark('*hello!*')\n '

hello!

\\n'\n\nOr, without the syntactic sugar:\n\n.. code:: python\n\n import commonmark\n parser = commonmark.Parser()\n ast = parser.parse(\"Hello *World*\")\n\n renderer = commonmark.HtmlRenderer()\n html = renderer.render(ast)\n print(html) #

Hello World

\n\n # inspecting the abstract syntax tree\n json = commonmark.dumpJSON(ast)\n commonmark.dumpAST(ast) # pretty print generated AST structure\n\nThere is also a CLI:\n\n::\n\n $ cmark README.md -o README.html\n $ cmark README.md -o README.json -aj # output AST as JSON\n $ cmark README.md -a # pretty print generated AST structure\n $ cmark -h\n usage: cmark [-h] [-o [O]] [-a] [-aj] [infile]\n\n Process Markdown according to the CommonMark specification.\n\n positional arguments:\n infile Input Markdown file to parse, defaults to stdin\n\n optional arguments:\n -h, --help show this help message and exit\n -o [O] Output HTML/JSON file, defaults to stdout\n -a Print formatted AST\n -aj Output JSON AST\n\n\nContributing\n------------\n\nIf you would like to offer suggestions/optimizations/bugfixes through\npull requests please do! Also if you find an error in the\nparser/renderer that isn't caught by the current test suite please open\na new issue and I would also suggest you send the\n`commonmark.js `__ project\na pull request adding your test to the existing test suite.\n\nTests\n-----\n\nTo work on commonmark.py, you will need to be able to run the test suite to\nmake sure your changes don't break anything. To run the tests, you can do\nsomething like this:\n\n::\n\n $ pyvenv venv\n $ ./venv/bin/python setup.py develop test\n\nThe tests script, ``commonmark/tests/run_spec_tests.py``, is pretty much a devtool. As\nwell as running all the tests embedded in ``spec.txt`` it also allows you\nto run specific tests using the ``-t`` argument, provide information\nabout passed tests with ``-p``, percentage passed by category of test\nwith ``-s``, and enter markdown interactively with ``-i`` (In\ninteractive mode end a block by inputting a line with just ``end``, to\nquit do the same but with ``quit``). ``-d`` can be used to print call\ntracing.\n\n::\n\n $ ./venv/bin/python commonmark/tests/run_spec_tests.py -h\n usage: run_spec_tests.py [-h] [-t T] [-p] [-f] [-i] [-d] [-np] [-s]\n\n script to run the CommonMark specification tests against the commonmark.py\n parser.\n\n optional arguments:\n -h, --help show this help message and exit\n -t T Single test to run or comma separated list of tests (-t 10 or -t 10,11,12,13)\n -p Print passed test information\n -f Print failed tests (during -np...)\n -i Interactive Markdown input mode\n -d Debug, trace calls\n -np Only print section header, tick, or cross\n -s Print percent of tests passed by category\n\nAuthors\n-------\n\n- `Bibek Kafle `__\n- `Roland Shoemaker `__\n- `Nikolas Nyby `__\n\n.. |Pypi Link| image:: https://img.shields.io/pypi/v/commonmark.svg\n :target: https://pypi.org/project/commonmark/\n\n.. |Build Status| image:: https://travis-ci.org/rtfd/commonmark.py.svg?branch=master\n :target: https://travis-ci.org/rtfd/commonmark.py\n\n.. |Doc Link| image:: https://readthedocs.org/projects/commonmarkpy/badge/?version=latest\n :target: https://commonmarkpy.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n\n","downloadUrl":"https://files.pythonhosted.org/packages/60/48/a60f593447e8f0894ebb7f6e6c1f25dafc5e89c5879fdc9360ae93ff83f0/commonmark-0.9.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2014, Bibek Kafle and Roland Shoemaker\r\n\r\nBased on stmd.js: Copyright (c) 2014, John MacFarlane\r\n\r\nAll rights reserved.\r\n\r\nRedistribution and use in source and binary forms, with or without\r\nmodification, are permitted provided that the following conditions are met:\r\n\r\n * Redistributions of source code must retain the above copyright\r\n notice, this list of conditions and the following disclaimer.\r\n\r\n * Redistributions in binary form must reproduce the above\r\n copyright notice, this list of conditions and the following\r\n disclaimer in the documentation and/or other materials provided\r\n with the distribution.\r\n\r\n * Neither the names of Bibek Kafle, Roland Shoemaker nor the names of other\r\n contributors may be used to endorse or promote products derived\r\n from this software without specific prior written permission.\r\n\r\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\r\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\r\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\r\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\r\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\r\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\r\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\r\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\r\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\r\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\r\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[{"attribution":"Attribution-ShareAlike 4.0 International<>\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","name":"CC-BY-SA-4.0"}],"package":"commonmark","projectUrl":"https://github.com/rtfd/commonmark.py","source":"pip","title":"commonmark","version":"0.9.1"},{"authors":["Kim Davies "],"dependencyPaths":["requests > idna"],"description":"Internationalized Domain Names in Applications (IDNA)","downloadUrl":"https://files.pythonhosted.org/packages/bf/3f/ea4b9117521a1e9c50344b909be7886dd00a519552724809bb1f486986c2/idna-3.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"BSD 3-Clause License\n\nCopyright (c) 2013-2023, Kim Davies and contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n3. Neither the name of the copyright holder nor the names of its\n contributors may be used to endorse or promote products derived from\n this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nHOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED\nTO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR\nPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF\nLIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"idna","projectUrl":"https://pypi.org/project/idna/","source":"pip","title":"idna","version":"3.6"},{"authors":["Andrey Petrov "],"dependencyPaths":["requests > urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/e4/e8/6ff5e6bc22095cfc59b6ea711b687e2b7ed4bdb373f7eeec370a97d7392f/urllib3-1.26.20.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"Copyright 2015 Google Inc. All rights reserved.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\nSee the License for the specific language governing permissions and limitations under the License.","name":"Apache-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"1.26.20"}],"directDependencies":[{"authors":["Amazon Web Services"],"dependencyPaths":["botocore"],"description":"Low-level, data-driven core of boto 3.","downloadUrl":"https://files.pythonhosted.org/packages/6d/a1/95ec376c2300e605225998619c46f7093c515710b9d6d65f891f126f32b6/botocore-1.43.12.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"Copyright (c) 2012-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","name":"MIT"},{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"botocore","projectUrl":"https://github.com/boto/botocore","source":"pip","title":"botocore","version":"1.43.12"},{"authors":["The Python Cryptographic Authority and individual contributors "],"dependencyPaths":["cryptography"],"description":"cryptography is a package which provides cryptographic recipes and primitives to Python developers.","downloadUrl":"https://files.pythonhosted.org/packages/9f/a9/db8f313fdcd85d767d4973515e1db101f9c71f95fced83233de224673757/cryptography-48.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","name":"BSD-3-Clause"},{"attribution":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[{"attribution":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","name":"IETF"}],"package":"cryptography","projectUrl":"https://pypi.org/project/cryptography/","source":"pip","title":"cryptography","version":"48.0.0"},{"authors":[],"dependencyPaths":["numpy"],"description":null,"downloadUrl":"https://files.pythonhosted.org/packages/d0/ad/fed0499ce6a338d2a03ebae59cd15093910c8875328855781952abf6c2fe/numpy-2.4.6.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2005-2020, NumPy Developers.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n * Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n * Redistributions in binary form must reproduce the above\n copyright notice, this list of conditions and the following\n disclaimer in the documentation and/or other materials provided\n with the distribution.\n\n * Neither the name of the NumPy Developers nor the names of any\n contributors may be used to endorse or promote products derived\n from this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","name":"BSD-3-Clause"}],"notes":[],"otherLicenses":[],"package":"numpy","projectUrl":null,"source":"pip","title":"numpy","version":"2.4.6"},{"authors":["Kenneth Reitz "],"dependencyPaths":["requests"],"description":"Python HTTP for Humans.","downloadUrl":"https://files.pythonhosted.org/packages/60/f3/26ff3767f099b73e0efa138a9998da67890793bfa475d8278f84a30fec77/requests-2.27.1.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n","name":"Apache-2.0"}],"notes":[],"otherLicenses":[],"package":"requests","projectUrl":"https://pypi.org/project/requests/","source":"pip","title":"requests","version":"2.27.1"},{"authors":["willmcgugan@gmail.com"],"dependencyPaths":["rich"],"description":"Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal","downloadUrl":"https://files.pythonhosted.org/packages/eb/be/bd5d6c37f5de55f31cb9432e0d926ceeab1b2ee774bd696557b53bc15012/rich-11.0.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"Copyright (c) 2020 Will McGugan\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[],"package":"rich","projectUrl":"https://pypi.org/project/rich/","source":"pip","title":"rich","version":"11.0.0"},{"authors":["Andrey Petrov "],"dependencyPaths":["urllib3"],"description":"HTTP library with thread-safe connection pooling, file post, and more.","downloadUrl":"https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz","hash":null,"isGolang":null,"licenses":[{"attribution":"MIT License\n\nCopyright (c) 2008-2020 Andrey Petrov and contributors.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","name":"MIT"}],"notes":[],"otherLicenses":[{"attribution":"1. Definitions\n 1.1. \"Contributor\" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.\n 1.2. \"Contributor Version\" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution.\n 1.3. \"Contribution\" means Covered Software of a particular Contributor.\n 1.4. \"Covered Software\" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.\n 1.5. \"Incompatible With Secondary Licenses\" means\n (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or\n (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.\n 1.6. \"Executable Form\" means any form of the work other than Source Code Form.\n 1.7. \"Larger Work\" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.\n 1.8. \"License\" means this document.\n 1.9. \"Licensable\" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.\n 1.10. \"Modifications\" means any of the following:\n (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or\n (b) any new file in Source Code Form that contains any Covered Software.\n 1.11. \"Patent Claims\" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.\n 1.12. \"Secondary License\" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.\n 1.13. \"Source Code Form\" means the form of the work preferred for making modifications.\n 1.14. \"You\" (or \"Your\") means an individual or a legal entity exercising rights under this License. For legal entities, \"You\" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, \"control\" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.\n 2. License Grants and Conditions\n 2.1. Grants\n Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:\n (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and\n (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.\n 2.2. Effective Date\n The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.\n 2.3. Limitations on Grant Scope\n The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:\n (a) for any code that a Contributor has removed from Covered Software; or\n (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or\n (c) under Patent Claims infringed by Covered Software in the absence of its Contributions.\n This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).\n 2.4. Subsequent Licenses\n No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).\n 2.5. Representation\n Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.\n 2.6. Fair Use\n This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.\n 2.7. Conditions\n Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.\n 3. Responsibilities\n 3.1. Distribution of Source Form\n All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form.\n 3.2. Distribution of Executable Form\n If You distribute Covered Software in Executable Form then:\n (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and\n (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License.\n 3.3. Distribution of a Larger Work\n You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).\n 3.4. Notices\n You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.\n 3.5. Application of Additional Terms\n You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.\n 4. Inability to Comply Due to Statute or Regulation\n If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.\n 5. Termination\n 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.\n 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.\n 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.\n 6. Disclaimer of Warranty\n Covered Software is provided under this License on an \"as is\" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.\n 7. Limitation of Liability\n Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.\n 8. Litigation\n Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims.\n 9. Miscellaneous\n This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.\n 10. Versions of the License\n 10.1. New Versions\n Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.\n 10.2. Effect of New Versions\n You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.\n 10.3. Modified Versions\n If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).\n 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses\n If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.","name":"MPL-2.0"}],"package":"urllib3","projectUrl":"https://pypi.org/project/urllib3/","source":"pip","title":"urllib3","version":"2.7.0"}],"licenses":{"Apache-2.0":"This software is made available under the terms of *either* of the licenses\nfound in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made\nunder the terms of *both* these licenses.\n","BSD-3-Clause":"Copyright (c) Individual contributors.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n 1. Redistributions of source code must retain the above copyright notice,\n this list of conditions and the following disclaimer.\n\n 2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in the\n documentation and/or other materials provided with the distribution.\n\n 3. Neither the name of PyCA Cryptography nor the names of its contributors\n may be used to endorse or promote products derived from this software\n without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","CC-BY-SA-4.0":"Creative Commons Attribution-ShareAlike 4.0 International Creative Commons Corporation (\"Creative Commons\") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an \"as-is\" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.\nUsing Creative Commons Public Licenses\nCreative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.\nConsiderations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors : wiki.creativecommons.org/Considerations_for_licensors\nConsiderations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor's permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described.\nAlthough not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public : wiki.creativecommons.org/Considerations_for_licensees\nCreative Commons Attribution-ShareAlike 4.0 International Public License\nBy exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License (\"Public License\"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.\nSection 1 – Definitions.\n a. Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.\n b. Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.\n c. BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.\n d. Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.\n e. Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.\n f. Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.\n g. License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.\n h. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.\n i. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.\n j. Licensor means the individual(s) or entity(ies) granting rights under this Public License.\n k. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.\n l. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.\n m. You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.\nSection 2 – Scope.\n a. License grant.\n 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:\n A. reproduce and Share the Licensed Material, in whole or in part; and\n B. produce, reproduce, and Share Adapted Material.\n 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.\n 3. Term. The term of this Public License is specified in Section 6(a).\n 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.\n 5. Downstream recipients.\n A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.\n B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter's License You apply.\n C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.\n 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).\n b. Other rights.\n 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.\n 2. Patent and trademark rights are not licensed under this Public License.\n 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.\nSection 3 – License Conditions.\nYour exercise of the Licensed Rights is expressly made subject to the following conditions.\n a. Attribution.\n 1. If You Share the Licensed Material (including in modified form), You must:\n A. retain the following if it is supplied by the Licensor with the Licensed Material:\n i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);\n ii. a copyright notice;\n iii. a notice that refers to this Public License;\n iv. a notice that refers to the disclaimer of warranties;\n v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;\n B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and\n C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.\n 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.\n 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.\n b. ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.\n 1. The Adapter's License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.\n 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.\n 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.\nSection 4 – Sui Generis Database Rights.\nWhere the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;\n b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and\n c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.\n For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.\nSection 5 – Disclaimer of Warranties and Limitation of Liability.\n a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.\n b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.\n c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.\nSection 6 – Term and Termination.\n a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.\n b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:\n 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or\n 2. upon express reinstatement by the Licensor.\n c. For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.\n d. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.\n e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.\nSection 7 – Other Terms and Conditions.\n a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.\n b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.\nSection 8 – Interpretation.\n a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.\n b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.\n c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.\n d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.\nCreative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the \"Licensor.\" The text of the Creative Commons public licenses is dedicated to the public domain under the CC0 Public Domain Dedication. Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark \"Creative Commons\" or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.\nCreative Commons may be contacted at creativecommons.org.","IETF":"This repository relates to activities in the Internet Engineering Task Force (IETF). All material in this repository is considered Contributions to the IETF Standards Process, as defined in the intellectual property policies of IETF currently designated as BCP 78, BCP 79 and the IETF Trust Legal Provisions (TLP) Relating to IETF Documents.\n\nAny edit, commit, pull request, issue, comment or other change made to this repository constitutes Contributions to the IETF Standards Process (https://www.ietf.org/).\n\nYou agree to comply with all applicable IETF policies and procedures, including, BCP 78, 79, the TLP, and the TLP rules regarding code components (e.g. being subject to a Simplified BSD License) in Contributions.","MIT":"MIT License\n\nCopyright (c) 2019 TAHRI Ahmed R.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","MPL-2.0":"This package contains a modified version of ca-bundle.crt:\n\nca-bundle.crt -- Bundle of CA Root Certificates\n\nThis is a bundle of X.509 certificates of public Certificate Authorities\n(CA). These were automatically extracted from Mozilla's root certificates\nfile (certdata.txt). This file can be found in the mozilla source tree:\nhttps://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt\nIt contains the certificates in PEM format and therefore\ncan be directly used with curl / libcurl / php_curl, or with\nan Apache+mod_ssl webserver for SSL client authentication.\nJust configure this file as the SSLCACertificateFile.#\n\n***** BEGIN LICENSE BLOCK *****\nThis Source Code Form is subject to the terms of the Mozilla Public License,\nv. 2.0. If a copy of the MPL was not distributed with this file, You can obtain\none at http://mozilla.org/MPL/2.0/.\n\n***** END LICENSE BLOCK *****\n@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $\n"},"project":{"name":"example-validation-project","revision":"12109922-03cb9ead2f744dfa5506ec0c915423947ec2fe11-python-linux"}} From aa472cb430cafeee95165fba9fc0a257cf2f9675 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Wed, 27 May 2026 15:13:07 -0700 Subject: [PATCH 33/33] docs: correct README description of FOSSA SBOM shape The SBOM artifact now matches FOSSA's `report --json attribution` shape with five top-level keys, not the previously documented `project` / `dependencies` two-key payload. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9a6e6d8..66f042c 100644 --- a/README.md +++ b/README.md @@ -156,7 +156,7 @@ socketcli --legal-format fossa --target-path . This switches the JSON report and legal artifact payloads to FOSSA-style compatibility shapes: - the analyze artifact becomes a `project` / `vulnerability` / `licensing` / `quality` report -- the SBOM artifact becomes a `project` / `dependencies` attribution-style payload +- the SBOM artifact becomes a FOSSA-attribution-style payload with `copyrightsByLicense`, `deepDependencies`, `directDependencies`, `licenses`, and `project` keys When `--legal-format fossa` is used without explicit output paths, the defaults are closer to the FOSSA pipeline contract: - `fossa-analyze.json`